Network
Authentication Standards
Kerberos
ü Kerberos designed at MIT
and it is name of a 3 headed dog!
ü It is a secret key based
service for providing authentication in a network.
ü Some applications that uses
Kerberos: telnet, rsh and NFS.
Ø Master Keys and Session Keys:
·
The
KDC
shares a secret key, called the master key,
with each principle
(each user and each resource).
Alice's
master key KA
is derived from her password.
·
The
workstation asks the KDC for a limited-lifetime session key
SA
The KDC sends the workstation:
KA{SA}
& a ticket-granting ticket TGT = Kkdc {T}
T contains: Alice's name, SA and expiration
time.
Kkdc is the he KDC master key.
·
The
workstation: forgets Alice's KA
and remembers SA and the TGT.
This is illustrated
as:
{======================================
Alice
workstation KDC
Alice, passwd >
Alice needs a TGT
>
< KA{SA}, TGT=Kkdc
{T}
======================================}
Whenever Alice needs to
talk to Bob
ü Her workstation sends the TGT
to the KDC.
ü The KDC generates KAB and send to the workstation:
SA{KAB} & a ticket
to Bob = KB{
"Alice", KAB}
ü Her workstation sends this ticket to Bob
along with an
ü authenticator KAB {t},
where t is the current time to
prove to Bob that she knows KAB
(Kerberos
allows up to 5 minutes skew between clocks).
ü Bob sends back KAB {t+1} to prove that he is indeed Bob (since he must knows KB to
find out KAB ).
ü Thereafter, messages between Alice and
Bob may be encrypted and integrity protected using KAB
This is
illustrated as:
{=================================================
Alice
workstation KDC Bob
wants Bob
>
Alice wants Bob, TGT >
<
SA{"Bob",
KAB , ticket to Bob}
ticket to
Bob = KB{
"Alice", KAB}
ticket to Bob, KAB {t} >
<
KAB {t+1}
=================================================}