We have already discussed about Cryptography and Caesar cipher‘. In this post we will explore more about Cryptography by discussing the application of Cryptography – ‘Kerberos authentication protocol’. In today’s insecure online and distributed environment we need stronger authentication mechanism than the classic username/password combination.
Introduction:
‘Kerberos’ was developed in MIT as part of a project named ‘Athena’. Kerberos is a three headed dog in Greek mythology which was used to guard the underworld. The electronic version of Kerberos or the Kerberos authentication protocol is used to guard user’s online data and keep hackers at bay. The Internet being a place which does not hold the three tenets of Information Security – Confidentiality, Integrity and Availability – needed stronger cryptographic algorithms to ensure user’s online privacy. The Kerberos network authentication protocol was created to uphold the three tenets by making use of symmetric key cryptography. Recall: In Symmetric key cryptography, the same key that is used to encrypt data is used to decrypt data as well.
The Kerberos authentication protocol is used to prove your identity in a client/server interaction by making use of “tickets”. Kerberos version 4 was created by Steve Miller and Clifford Neuman. Version 5 release 1.16.3 is the latest version It was created by John Kohl and Clifford Neuman. Kerberos is freely downloadable from the MIT website under copyright permissions. It is also available as a professional product by many vendors. Kerberos is based on the Needham-Schroedar protocol.
Necessity of Kerberos:
Kerberos was created to overcome the following threats in an open distributed network environment:
- A user may masquerade as another user and access the privileges and rights on the new user’s workstation
- A user can change, modify and alter the network address of other workstations
- A user can also “snoop” and overhear conversations and gain an entry into servers(Stallings)
Description:
Here is an extremely high level working of the Kerberos authentication protocol ….the important terms to be aware of before we start discussing the working of Kerberos:
KDC – Key distribution center
TGS – Ticket Granting Service
- A user logs onto a client machine, enters his credentials and requests some services. Now, the username alone is transmitted to the KDC server(the password is transformed into the key of a symmetric cipher and kept at the user’s machine) After matching username with the KDC database, the KDC server creates the TGT (Ticket Granting Ticket – which is encrypted by the user’s key)
2. The client receives the encrypted TGT. Recall that Kerberos makes use of symmetric key cryptography. Hence, the encrypted TGT that is received is decrypted using the user’s key(the user’s key is stored in the user’s machine)
3. The TGT stored on the machine will enable a session with the server for a specified amount of time
4. In order to communicate with the server and request more services, the client will use the TGT and ask for a specific service from the KDC server
Conclusion:
This is just a simplified version of the Kerberos authentication protocol. It can be inferred from the above description of the Kerberos authentication protocol that the entire functioning is based on “tickets” and encryption and decryption using symmetric key cryptography. No passwords were sent in the entire client/server interaction. It is hoped that stronger authentication standards will be adopted by the industry.
Bibliography:
Kerberos. (n.d.). Retrieved May 7, 2014, from Wikipedia.org: http://en.wikipedia.org/wiki/Kerberos_(protocol)#Further_reading
Cryptography and Network Security. In W. Stallings.
What is kerberos and how does kerberos work, from https://www.slashroot.in/what-is-kerberos-and-how-does-kerberos-work