02-06-2012, 12:37 PM
Kerberos
Kerberos.ppt (Size: 226 KB / Downloads: 176)
trusted key server system from MIT
provides centralised private-key third-party authentication in a distributed network
allows users access to services distributed through network
without needing to trust all workstations
rather all trust a central authentication server
two versions in use: 4 & 5
Kerberos Requirements
first published report identified its requirements as:
security-an eavesdropper shouldn’t be able to get enough information to impersonate the user
reliability- services using Kerberos would be unusable if Kerberos isn’t available
transparency-users should be unaware of its presence
scalability- should support large number of users
implemented using a 3rd party authentication scheme using a protocol proposed by Needham-Schroeder (NEED78)
Kerberos 4 Overview
a basic third-party authentication scheme
uses DES buried in an elaborate protocol
Authentication Server (AS)
user initially negotiates with AS to identify self
AS provides a non-corruptible authentication credential (ticket-granting ticket TGT)
Ticket Granting server (TGS)
users subsequently request access to other services from TGS on basis of users TGT
Kerberos Realms
a Kerberos environment consists of:
a Kerberos server
a number of clients, all registered with server
application servers, sharing keys with server
this is termed a realm
typically a single administrative domain
if have multiple realms, their Kerberos servers must share keys and trust
X.509 Authentication Service
part of CCITT X.500 directory service standards
distributed servers maintaining some info database
defines framework for authentication services
directory may store public-key certificates
with public key of user
signed by certification authority
also defines authentication protocols
uses public-key crypto & digital signatures
algorithms not standardized, but RSA recommended
Kerberos.ppt (Size: 226 KB / Downloads: 176)
trusted key server system from MIT
provides centralised private-key third-party authentication in a distributed network
allows users access to services distributed through network
without needing to trust all workstations
rather all trust a central authentication server
two versions in use: 4 & 5
Kerberos Requirements
first published report identified its requirements as:
security-an eavesdropper shouldn’t be able to get enough information to impersonate the user
reliability- services using Kerberos would be unusable if Kerberos isn’t available
transparency-users should be unaware of its presence
scalability- should support large number of users
implemented using a 3rd party authentication scheme using a protocol proposed by Needham-Schroeder (NEED78)
Kerberos 4 Overview
a basic third-party authentication scheme
uses DES buried in an elaborate protocol
Authentication Server (AS)
user initially negotiates with AS to identify self
AS provides a non-corruptible authentication credential (ticket-granting ticket TGT)
Ticket Granting server (TGS)
users subsequently request access to other services from TGS on basis of users TGT
Kerberos Realms
a Kerberos environment consists of:
a Kerberos server
a number of clients, all registered with server
application servers, sharing keys with server
this is termed a realm
typically a single administrative domain
if have multiple realms, their Kerberos servers must share keys and trust
X.509 Authentication Service
part of CCITT X.500 directory service standards
distributed servers maintaining some info database
defines framework for authentication services
directory may store public-key certificates
with public key of user
signed by certification authority
also defines authentication protocols
uses public-key crypto & digital signatures
algorithms not standardized, but RSA recommended