KERBEROS AUTHENTICATION

CONTENTS
Authentication
What Is Kerberos?
Components
Cross-realm Authentication
Architecture
Kerberos Authentication Benefits
Why Kerberos?
Drawbacks Of Kerberos
Conclusion
References
AUTHENTICATION
Authentication is the verification of the identity of a
party who generated some data, and of the integrity of
the data
A principal is the party whose identity is verified
The verifier is the party who demands assurance of the
principal's identity.
AUTHENTICATION
Issues with:
Password
based
authentication
Authentication
by assertion
WHAT IS KERBEROS?
Distributed
authentication
service
Allows a process
(a client) running
on behalf of a
principal (a user)
to prove its
identity to a
verifier
Without sending
data across the
network
WHAT IS KERBEROS?
Provides integrity and
confidentiality for data
Developed in the mid-'80s as part
of MIT's Project Athena
V4 still runs at many sites
V5 is considered to be standard
Kerberos
COMPONENTS
Principals Realms
Key Distribution
Centers (KDCs)
Authentication
Service
Ticket Granting
Server
Tickets
ARCHITECHTURE

CROSS-REALM
AUTHENTICATION

KERBEROS
AUTHENTICATION BENEFITS
Interoperability
Kerberos V5
protocol provides
interoperability
with other
networks
Efficient
authentication to
servers
Server can directly
authenticate the
clients by
examining
credentials
presented without
going to the
domain controller
Comparison to NT
LAN Manager
More secure
More flexible
More efficient
KERBEROS
AUTHENTICATION BENEFITS
Mutual authentication
Provides a centralized
authentication server to
authenticate users to
servers and servers to
users.
Delegated authentication
The Kerberos V5 protocol
includes a proxy
mechanism that enables a
service to impersonate its
client when connecting to
other services. No
equivalent is available
with NTLM
WHY KERBEROS?
Divide up resource capabilities between many
users
Restrict users access to resources
Typical authentication mechanism passwords
When a user wants to gain access to a server, the server needs
to verify the users identity. Because access to resources are
based on identity and associated permissions, the server must
be sure the user really has the identity it claims.
Authenticate user identity
WHY KERBEROS?
The users name that is, the User Principal Name (UPN) and
the users credentials are packaged in a data structure called a
ticket.

Securely package the users name
After the ticket is encrypted, messages are used to transport
user credentials along the network.
Securely deliver user credentials
DRAWBACKS OF
KERBEROS
Single point of failure
Strict time requirements
No standardisation
All authentications are
controlled by a
centralized KDC
DRAWBACKS OF
KERBEROS
Unique Kerberos keys
Kerberos assumes that
each user is trusted but is
using an untrusted host
on an untrusted network
Unencrypted passwords
transferred to a non-
kerberized service is at risk
CONCLUSION
Traditional authentication methods are not
suitable for use in computer networks
where attackers monitor network traffic to
intercept passwords.
The use of strong authentication methods
that do not disclose passwords is
imperative. The Kerberos authentication
system is well suited for authentication of
users in such environments.
REFERENCES
Kerberos: An Authentication Service for
Open Network Systems
Steiner, Neuman, Schiller, 1988, Winter USENIX

http://en.wikipedia.org/wiki/Kerberos_(pro
tocol)
http://www.ifour-consultancy.com