written 8.5 years ago by |
Kerberos system that supports authentication in distributed system
- In Greek mythology, Kerberos is a three-headed dog that guards the entrance to the Hades whereas in security Kerberos is an authentication protocol that uses symmetric key cryptography.
- Kerberos originated at MIT which was designed for smaller scale use.
- Kerberos is used for authentication and to establish a session key that can be used for confidentiality and integrity.
Any symmetric cipher can be used with Kerberos however the crypto algorithm widely used is the Data Encryption Standard (DES).
- There are four parties involved in the Kerberos protocol:
User – Alice who uses the client workstation
Real Server - The server (Bob) provides services for the user (Alice).
Authentication Server (AS) – It is he KDC in the Kerberos protocol. Each user registers with the AS and is granted a user identity and a password. The AS verifies the user, issues a session key to be used between Alice and TGS and sends a ticket to TGS.
Ticket Granting Server (TGS) – Issues a ticket for the real server. It provides the session key(KAB) between Alice and Bob.
- The Three steps involved in Kerberos protocol are:
1.Login-
- Alice uses a public workstation and enters her name which is sent to the AS in plain text.
In response the AS first creates a package of the username (Alice) and a randomly generated session key (KS). It encrypts this package with the symmetric key that the AS shares with the Ticket Granting Server (TGS).
The output of this step is called as the Ticket Granting Ticket (TGT). The TGT can be opened only at by the TGS since it posses the corresponding symmetric key for decryption.
- The AS then combines the TGT with the session key (KS) and encrypts the two together using a symmetric key derived from the password of Alice (KA).
- After the message is received Alice’s workstation asks her for the password. When Alice enters it the workstation generates the symmetric key (KA) derived from the password and uses it to extract the session key (KS) and the TGT.
2.Obtaining a service granting ticket (SGT) –
- After a successful login Alice wants to make use of Bob the server for communication. For this Alice needs a ticket to communicate with Bob. At this juncture Alice’s workstation creates a message intended for the ticket granting server (TGS) which contains the TGT, ID of Bob(server) and the current timestamp encrypted with the same session key(KS).
- Once the TGS is satisfied of the credentials of Alice, the TGS creates a session key KAB for Alice to have a secure communication with Bob. TGS sends it twice to Alice, once combined with Bob’s Id and encrypted with KS and a second time combined with Alice’s Id and encrypted with Bobs secret key (KB).
3.User contacts Bob for accessing server-
- Alice can now send KAB to Bob in order to enter into a session with him. Since this exchange is also desired to be secure Alice can simply forward KAB encrypted with Bob’s secret key to Bob. This will ensure that only Bob can access KAB. Bob now adds 1 to the timestamp sent by Alice, encrypts the result wit KAB and sends it to Alice.
- Since Alice and Bob know KAB, Alice can open this packet and verify that the timestamp incremented by Bob was indeed the one sent by her to Bob in the first place.
- Now Alice and Bob can communicate securely using the shared secret key KAB to encrypt messages.
- If Alice wants to communicate with another server she will need another shhared key from the TGS and specify the name in the message