Kerberos
Posted by: Margaret
Rouse
Contributor(s):
Michael Cobb
Kerberos is a protocol for authenticating service requests between
trusted hosts across an untrusted network, such as the internet. Kerberos is
built in to all major operating systems, including Microsoft Windows, Apple OS
X, FreeBSD and Linux.
Take a closer look at the ISACA Certified Information
Security Manager certification, including the value it provides security
professionals, how it compares to other security professionals, and what the
CSX program offers
Since Windows 2000, Microsoft has incorporated the
Kerberos protocol as the default authentication method in Windows, and it is an
integral component of the Windows Active Directory service. Broadband service
providers also use Kerberos to authenticate DOCSIS cable modems and set-top boxes accessing their networks.
Kerberos was originally developed for Project Athena at
the Massachusetts Institute of Technology (MIT). The name Kerberos was taken
from Greek mythology; Kerberos (Cerberus) was a three-headed dog who guarded
the gates of Hades. The three heads of the Kerberos protocol represent a client, a server
and a Key Distribution Center (KDC), which acts as Kerberos' trusted
third-party authentication service.
Users, machines and services using Kerberos need only
trust the KDC, which runs as a single process and provides two services: an
authentication service and a ticket granting service. KDC "tickets" provide mutual authentication, allowing nodes to
prove their identity to one another in a secure manner. Kerberos authentication
uses conventional shared secret cryptography to prevent packets traveling
across the network from being read or changed and to protect messages from eavesdropping and replay attacks.
A simplified description of how Kerberos works follows;
the actual process is more complicated and may vary from one implementation to
another. For the purposes of this discussion, the initiating client in the
scenario below is a corporate laptop running Windows, and an end user is trying
to log into the corporate network.
To start the Kerberos authentication process, the
initiating client sends a request to an authentication server for access to a
service. The initial request is sent as plaintext because no sensitive information is included in the
request.
The authentication server retrieves the initiating
client's private key, assuming the initiating
client's username is in the KDC database. If the initiating client's username
cannot be found in the KDC database, the client cannot be authenticated and the
authentication process stops. If the client's username can be found in the KDC
database, the authentication server generates a session key and a ticket granting ticket.
The ticket granting ticket is timestamped and encrypted by the
authentication server with the initiating client's password.
The initiating client is then prompted for a password; if
what is entered matches the password in the KDC database, the encrypted ticket
granting ticket sent from the authentication server is decrypted and used to
request a credential from the ticket granting server for the desired service.
The client sends the ticket granting ticket to the ticket granting server,
which may be physically running on the same hardware as the authentication
server, but performing a different role.
The ticket granting service carries out an authentication
check similar to that performed by the authentication server, but this time
sends credentials and a ticket to access the requested service. This
transmission is encrypted with a session key specific to the user and service
being accessed. This proof of identity can be used to access the requested
"kerberized" service, which, once having validated the original
request, will confirm its identity to the requesting system.
The time stamped ticket sent by the ticket granting
service allows the requesting system to access the service using a single
ticket for a specific time period without having to be re-authenticated. Making
the ticket valid for a limited time period makes it less likely that someone
else will be able to use it later; it is also possible to set the maximum
lifetime to 0, in which case service tickets will not expire. Microsoft
recommends a maximum lifetime of 600 minutes for service tickets; this is the
default value in Windows Server implementations of Kerberos.
The MIT Kerberos Consortium was founded in September 2007
to further the development of Kerberos. In 2013, the consortium was expanded
and renamed the MIT Kerberos and Internet Trust Consortium.
==================================
Another Special Announcement - Tune in to my radio interview, on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett. 
www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================
No comments:
Post a Comment