Network Authentication Standards: Kerberos
· Kerberos designed at MIT
and it is name of a 3 headed dog!
· It is a secret key based
service for providing authentication in a network.
Some applications that use Kerberos: telnet, rsh and NFS.
Master Keys and Session Keys:
·
The
KDC shares a secret key, called the master key,
with each principle
(each
user and each resource).
Alice's master key KA is
derived from her password.
·
The
workstation asks the KDC for a limited-lifetime session key
SA
The KDC sends the workstation:
KA{SA}
and a ticket-granting ticket (TGT) Kkdc {T}
T contains: Alice's name, SA and expiration
time.
Kkdc is the he KDC master key.
·
The
workstation: forgets Alice's KA
and remembers SA and the TGT.
This is illustrated
as:
{=====================================
Alice workstation KDC
Alice, passwd >
Alice needs a TGT
>
<
KA{SA}, Kkdc {T}
=====================================}
When Alice needs to
talk to Bob (e.g., % rsh Bob)
·
Her
workstation sends the TGT to the
KDC.
The KDC generates KAB and send to the workstation:
SA{KAB} & a ticket
to Bob = KB{
"Alice", KAB}
·
Her
workstation sends this ticket to Bob along with an
authenticator KAB {t}
where t
is the current time to prove to Bob that she knows KAB
(Kerberos allows up to 5 minutes skew
between clocks).
·
Bob
sends back KAB
{t+1} to prove that he is
indeed Bob
(since he must knows KB to
find out KAB
).
·
Thereafter,
messages between Alice and Bob may be
encrypted and
integrity protected using KAB
This is
illustrated as:
{=================================================
Alice
workstation
KDC Bob
rsh Bob
>
Alice wants Bob, TGT
>
<
SA{"Bob",
KAB , ticket to Bob}
ticket to Bob = KB{ "Alice", KAB}, KAB
{t}
>
<
KAB {t+1}
=================================================}