AUTHENTICATION APPLICATIONS

 Kerberos is a widely used network authentication protocol and system developed by MIT.
 It's designed to provide secure authentication for users and services over a non-secure
network, such as the internet or a corporate intranet.
 Kerberos helps ensure the confidentiality and integrity of data and the authenticity of users
and services.
 It addresses the threats posed in an open distributed environment in which users at
workstations wish to access services on servers distributed throughout the network.
 Kerberos is a protocol for authenticating service requests between trusted hosts across an un-
trusted network, such as the internet. Kerberos support is built in to all major computer
operating systems, including Microsoft Windows, Apple macOS, FreeBSD and Linux.
 The name was taken from Greek mythology; Kerberos (Cerberus) was a three-headed dog
who guarded the gates of Hades. The three heads of the Kerberos protocol represent the
following:
 The client or principal;
 The network resource, which is the application server that provides access to the network
resource; and
 A key distribution center (KDC), which acts as Kerberos' trusted third-party authentication
service.(AS+TGS).

 Some of the threats are while using unsecured network:

  A user may gain access to a particular workstation and pretend to be another user operating
from that workstation.
  A user may alter the network address of a workstation so that the requests sent from the
altered workstation appear to come from the impersonated workstation.
  A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or
to disrupt operations.
 The original designers of version 4 of the protocol were Steve Miller and Clifford Neuman in which they
started as having this version to work with project Athena.
 V5 became RFC 1510 in 1993 in which this version were to eliminate any security issues that were found
in version 4.
 RFC 1510 eventually became useless and was updated to RFC 4120 in 2005, which is the version now
widely used as Kerberos Version 5.
 The MIT makes sure that implementation of Kerberos is freely available
 In 2007 of MIT had created and founded the Kerberos Consortium which is now sponsored by many
companies such as Microsoft, Apple, Google, and many academic institutions.
 Windows 2000 was the first windows-based operating system to have Kerberos implemented to work as its
authentication protocol.
 Many UNIX-based operating systems such as Mac OS X, Red Hat Linux, Solaris, and Free BSD have
software that use Kerberos authentication services.
 The Working of Kerberos

There are four parties involved in the Kerberos protocol:

 Alice The client workstation.
 Authentication Server (AS) Verifies (authenticates) the user during login.
 Ticket Granting Server (TGS) Issues tickets to certify proof of identity.
 Bob The server offering services such as network printing, file sharing or an application
program.
 The job of AS is to authenticate every use at the login time. AS shares a unique secret
password with every user.
 The job of TGS is to certify to the servers in the network that a user is really who he/she
claims to be. For proving this, the mechanism of tickets (which allow entry into a
server, just as a ticket allows parking a car or entering a music concert) is used.
Step 1: Login
 In response, the AS performs several actions.
 It first creates a package of the user name (Alice) and a randomly generated session key (KS). It
encrypts this package with the symmetric key that the AS shares with the Ticket Granting Server
(TGS). The output of this step is called the Ticket Granting Ticket (TGT). Note that the TGT can
be opened only by the TGS, since only it possesses the corresponding symmetric key for
decryption.
 The AS then combines the TGT with the session key (KS), and encrypts the two together using a
symmetric key derived from the password of Alice (KA). Note that the final output can,
therefore, be opened only by Alice.
 After this message is received, Alice’s workstation asks her for the password. When Alice enters
it, the workstation generates the symmetric key (KA) derived from the password (in the same
manner as AS would have done earlier) and uses that key to extract the session key (KS) and the
Ticket Granting Ticket (TGT).
 The workstation destroys the password of Alice from its memory immediately to prevent an
attacker from stealing it. Note that Alice cannot open the TGT, as it is encrypted with the key of
the TGS.
Step 2: Obtaining a Service Granting
Ticket (SGT)
Step 3: User Contacts Bob for Accessing
the Server
 Since Alice needs to authenticate or sign on only once, this mechanism is called Single
Sign On (SSO).
 Alice need not prove her identity to every resource in the network individually. She
needs to authenticate herself only to the central AS only once. That is good enough for
all the other servers/network resources to be convinced of Alice’s identity.
 SSO is a very important concept for corporate networks,because they grow over a
period of time, with multiple authentication mechanisms and diverse implementations.
 These can be segregated into a single, uniform authentication mechanism using SSO. In
fact, Microsoft’s passport technology on the Internet is also based on this philosophy.
Microsoft Windows
 NT also uses the Kerberos mechanism heavily. This is also why once you log on to a
Windows NT workstation, you can access your emails and other secret resources
without requiring explicit logons, as long as the correct mappings are done by the
system administrator.
Clearly, not every server in the world would trust a single AS and TGS. Therefore,
the designers of Kerberos provide a support for multiple realms, each having its
own AS and TGS.
 Advantages

 The standard is 100% free to use.

 Kerberos is open source.
 The availability of Kerberos is used on many recent operating systems such as:
- Windows 2000 and up
- Mac OS X
- Red Hat Linux
- Solaris
 Drawbacks

 Kerberos requires the usage of the availability of a central server, if a server happens to
go down then no one can login.

 Another drawback is that, in order to issue proper time stamped tickets, hosts’ clocks
must synchronize properly in order for the protocol to work with the timed stamped
tickets used in the authentication process.
 Application of the Standard

 As mentioned before, Kerberos is used as a software application that can be accessed

through a terminal program for Linux operating systems.
 For Windows, command prompt is used to access the program.

 The developers of the standard mention on their website that it isn’t intended for
individual home use, but enterprise/professional use.
THANK YOU