Scribd Logo
Upload

Welcome to Scribd!

  • 50 views

    Authentication Applications: Security Concerns Kerberos

    Uploaded by

    Sano Khan
    Kerberos is an authentication system that uses tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Version 4 of Kerberos had problems with ticket lifetimes being too short or long, allowing replay attacks. Version 5 addressed these issues by adding explicit start and end times to tickets, allowing arbitrary lifetimes. Kerberos assumes key sharing is prohibited, passwords are strong, and does not protect against denial of service attacks.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd

    Authentication Applications: Security Concerns Kerberos

    Uploaded by

    Sano Khan
    50 views12 pages
    Kerberos is an authentication system that uses tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Version 4 of Kerberos had problems with ticket lifetimes being too short or long, allowing replay attacks. Version 5 addressed these issues by adding explicit start and end times to tickets, allowing arbitrary lifetimes. Kerberos assumes key sharing is prohibited, passwords are strong, and does not protect against denial of service attacks.

    Original Description:

    Information security nots.

    Original Title

    Week 14 Kerberos Contd

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Kerberos is an authentication system that uses tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Version 4 of Kerberos had problems with ticket lifetimes being too short or long, allowing replay attacks. Version 5 addressed these issues by adding explicit start and end times to tickets, allowing arbitrary lifetimes. Kerberos assumes key sharing is prohibited, passwords are strong, and does not protect against denial of service attacks.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    50 views12 pages

    Authentication Applications: Security Concerns Kerberos

    Uploaded by

    Sano Khan
    Kerberos is an authentication system that uses tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Version 4 of Kerberos had problems with ticket lifetimes being too short or long, allowing replay attacks. Version 5 addressed these issues by adding explicit start and end times to tickets, allowing arbitrary lifetimes. Kerberos assumes key sharing is prohibited, passwords are strong, and does not protect against denial of service attacks.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    You are on page 1of 12

    Authentication Applications

    Security Concerns
    Kerberos
    A Simple Authentication
    Dialogue
    (1) C ----> AS: IDc || Pc || IDv
    (2) AS ----> C: Ticket
    (3) C -----> V: IDc || Ticket

    Data & Network Security By Mohib Ullah


    Ticket = EKv[IDc || Pc || IDv]
    Version 4 Authentication
    Dialogue
    • Problems:
    • Lifetime associated with the ticket-granting ticket
    • If too short ---> repeatedly asked for password

    Data & Network Security By Mohib Ullah


    • If too long ----> greater opportunity to replay
    • The threat is that an opponent will steal the ticket
    and use it before it expires
    Version 4 Authentication Dialogue
    Authentication Service Exhange: To obtain Ticket-Granting Ticket
    (1) C ---> AS: IDc || IDtgs ||TS1
    (2) AS ---> C: EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]

    Ticket-Granting Service Echange: To obtain Service-Granting Ticket

    Data & Network Security By Mohib Ullah


    (3) C ---> TGS: IDv ||Tickettgs ||Authenticatorc
    (4) TGS ---> C: EKc [Kc,¨v|| IDv || TS4 || Ticketv]

    Client/Server Authentication Exhange: To Obtain Service


    (5) C ---> V: Ticketv || Authenticatorc
    (6) V ---> C: EKc,v[TS5 +1]
    Overview of Kerberos

    Data & Network Security By Mohib Ullah


    Kerberos Realms and Multiple Kerberi

    • A full-service Kerberos environment consisting of a Kerberos server, a


    number of clients, and a number of application servers requires the
    following:
    1.The Kerberos server must have the user ID and hashed passwords of all
    participating users in its database. All users are registered with the

    Data & Network Security By Mohib Ullah


    Kerberos server.
    2.The Kerberos server must share a secret key with each server. All servers
    are registered with the Kerberos server
    Such an environment is referred to as a Kerberos realm
    Kerberos provides a mechanism for supporting interrealm
    authentication. For two realms to support interrealm
    authentication, a third requirement is added:
    3.The Kerberos server in each interoperating realm shares

    Data & Network Security By Mohib Ullah


    a secret key with the server in the other realm. The two
    Kerberos servers are registered with each other.
    •The scheme requires that the Kerberos server in one realm
    trust the Kerberos server in the other realm to authenticate its
    users.
    •.
    • Furthermore, the participating servers in the second realm
    must also be willing to trust the Kerberos server in the first
    realm.
    • A user wishing service on a server in another realm needs a
    ticket for that server. The user's client follows the usual

    Data & Network Security By Mohib Ullah


    procedures to gain access to the local TGS and then requests a
    • ticket-granting ticket for a remote TGS (TGS in another realm).
    The client can then apply to the remote TGS for a service-
    granting ticket for the desired server in the realm of the
    remote TGS
    Another Realm
    Request for Service in

    Data & Network Security By Mohib Ullah


    Difference Between Version 4
    and 5
    • Encryption system dependence (V.4 DES)
    Version 4 use DES. DES has some issue about its security an strength.
    Therefore version 5 can use any encryption technique with restriction that same key to be used in
    different algorithms
    • Internet protocol dependence
    Version 4 uses only IP addresses. Other types such as ISO network address are not

    Data & Network Security By Mohib Ullah


    accommodated. Version 5 network addresses are tagged with type and length, allowing
    any network address type to be used.
    • Ticket lifetime
    In version 4, the maximum lifetime that can be expressed is 1280 minutes, or a little over
    21 hours. This may be inadequate for some applications (e.g., a long-running simulation
    that requires valid Kerberos credentials throughout execution). In version 5, tickets
    include an explicit start time and end time, allowing tickets with arbitrary lifetimes.
    Kerberos Version 5
    • developed in mid 1990’s
    • specified as Internet standard RFC 1510
    • provides improvements over v4
    • addresses environmental shortcomings

    Data & Network Security By Mohib Ullah


    • encryption alg, network protocol, byte order, ticket lifetime,
    authentication forwarding, interrealm auth
    • and technical deficiencies
    • double encryption, non-std mode of use, session keys, password
    attacks
    Assumption of Kerberos
    • Following are the assumption to solve the limitation of Kerberos as
    given below.
    • The Kerberos protocol does not protect against denial-of-service
    attacks. Detection and solution of such attacks are usually best left to
    human administrators and users.
    • Key sharing or key theft can allow impersonation attacks. To limit this

    Data & Network Security By Mohib Ullah


    threat, prohibit users from sharing their keys and document this
    policy in your security regulations.
    • The Kerberos protocol does not protect against typical password
    vulnerabilities, such as password guessing. If a user chooses a poor
    password, an attacker might successfully mount an offline dictionary
    attack by repeatedly attempting to decrypt messages that are
    encrypted under a key derived from the user's password. To ensure
    that users choose a secure password, establish password guidelines
    and document them in your company's security policy

    You might also like