Kerberos Authentication: An Overview Kerberos, named after the three-headed dog of Greek mythology that is known for protecting the gates of Hades, is an authentication protocol developed by MIT through another project, Project Athena. Project Athena, which started in 1983 when MIT decided to use network computers as part of its campus curriculum. MIT had grants from DEC (Digital Equipment Corporation) and IBM, as well as multiple operating systems. The goals of Athena were to have a Single Sign-on (SSO), networked file systems, a unified graphical environment, and a naming convention service. Within 5 years, they had done this. Kerberos allowed for SSO as well as secure remote authentication. Microsoft picked up this program with its development and release of Windows 2000 to replace their previous authentication protocol CHAP (Challenge Handshake Application Protocol) that simply used a plaintext password and user name to authenticate. With Kerberos, this was upgraded to a password that uses encryption keys created using a pseudo-random number generator rather than relying on the password hash of the user. The password is involved in the process, but is not transmitted across the network and is only used in the beginning stage of logging on. When you first log in to the network, users must provide a log-in name and password in order to be verified by the Authentication Service (AS) portion of a Key Distribution Center (KDC) within their domain. The KDC has access to Active Directory user account information. Once successfully authenticated, the user is given a Ticket to Get Tickets (TGT). This TGT has a default lifetime of 10 hours and may be renewed through the user’s log-on session without requiring the user to re-enter his password. The TGT is cached on the local machine and used to request sessions with services throughout the network. The first step in the TGT retrieval process is that the AS request identifies the client to the KDC in plain text. If the client is identified, a time stamp will be encrypted using the user’s password hash as an encryption key. If the KDC reads a valid time it will know that request isn’t a replay of a previous request. If the KDC approves the client’s request for a TGT, the reply (referred to as the AS reply) will include two sections: a TGT encrypted with a key that only the KDC (TGS) can decrypt and a session key encrypted with the password hash that will handle all future communications. The user presents the TGT to the TGS portion of the KDC when desiring access to a server service. The TGS on the KDC authenticates the user’s TGT and creates a ticket and session key for both the client and the remote server. This information, known as the service ticket, cached on the client machine. The TGS receives the client’s TGT and reads it. If the TGS approves of the client’s request, a service ticket is generated for both the client and the target server. The client reads its portion using the TGS session and presents it to the target server in the client/server exchange. Once the client user has the client/server service ticket, he can establish the session with the server. The server can decrypt the information coming from the TGS using its own key. The client user is authenticated and a service session is established using the service ticket. After the ticket's
Related Documents: Kerberos Authentication Essay examples
Chapter 6 review questions-Abhinav Anand 1. Define and explain the process of Kerberos A: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics: It is secure; it never sends a password unless it is encrypted. 2. Identify two written password policies that you find to be the most important. Explain why you chose those two. A: Passwords should be unique and…
Authentication is the process that helps a web server confirm the identity of the clients who request access to the server’s websites and applications. Authentication is a fundamental and crucial service—especially if the web server hosts private information or mission-critical applications. Microsoft Internet Information Services 7.0 (IIS)—the web server that’s bundled with Windows Vista and Windows Server 2008—includes several authentication options, both new options and updates to those in earlier…
your Windows logon passwords. Before you take any action, however, it's a good idea to become familiar with password authentication mechanics and to learn what types of password attacks are in use today. That way, you'll know not only how to protect yourself but also what you're protecting yourself from. Password Authentication Although Windows uses many types of authentication credentials (e.g., the Credential Manager cache, trusts, Local Security Authority—LSA—secrets), the 10 tips I provide…
Table of Contents Network Security Requirements 3 Network Security Algorithms 6 Cryptography Applications 8 E-Mail Security 11 Wireless Networking Protocols 12 Network Security Requirements The OSI (Open Systems Interconnection) Reference Model consists of seven layers and provides a conceptual framework which determines how network aware devices interact and communicate with each other, (Briscoe, 2000). Actual communications is distinguished by several network protocols, which…
core part of an operating system provides essential services? a. Service b. Driver c. Kernel $ d. Module 2. Which among the following is the process of proving that provided identity credentials are valid and correct? a. Identification b. Authentication $ c. Authorization d. Nonrepudiation 3. The ability to run a backup is an example of which Windows feature? a. Permission b. ACL c. Capability d. Right $ 4. Which among the following is the best reason to define security groups while configuring…
zones will help. Storing zone data in Active Directory will prove automatic replication, fault tolerance, and distributed administration of DNS data. Zone data replication occurs during Active Directory replication, meaning it will be secured by Kerberos ("DNS Zone Facts"). File Services For file services, data security will be a priority for Shiv LLC. File servers will secure…
1. Name at least five applications and tools pre-loaded on the TargetWindows01 server desktop, and identify whether that application starts as a service on the system or must be run manually. WINDOWS APPLICATION LOADEDSTARTS AS SERVICE Y/N 1. tftpd32 Starts as a service 2. FileZilla Server Interface- The interface does not start as a service and must be ran manually 3. Wireshark – Does not start as a service and must be ran manually 4. Nessus Server Manager – Does not start as a service and…
History and uses of Biometrics HISTORY AND USES OF BIOMETRICS By Marie C. Smith Gerard Beatty SEC310 March 10, 2014 1 Table of Contents I. First uses of Biometrics Handprint recognition---------------------------------------------------------------------------3 Facial recognition-------------------------------------------------------------------------------3 Ancient finger prints-----------------------------------------------------------------------------4 II. Types of Biometrics A. Physiol…
includes such attacks as Cross Site Scripting (XSS), interceptions of web sessions, stealing passwords, man in the middle, and others (Kifayat et al., 2010). Protection against these attacks is traditionally a strict authentication and use of an encrypted connection with mutual authentication, but not all of the creators of clouds cannot afford such a wasteful and usually not very convenient means of protection (Winkler, 2011). Therefore, there are still unsolved problems in this field of information…