786535
Exam - Kerberos
- principals &
their roles
- A Kerberos principal is a unique identity to
which Kerberos can assign tickets. Principals
can have an arbitrary number of components:
the primary, the instance and the realm.
- format typically: primary / instance @ realm
- format typically: primary / instance @ realm
- A Kerberos principal is a unique identity to
which Kerberos can assign tickets. Principals
can have an arbitrary number of components:
the primary, the instance and the realm.
- applications
- Campus network where access to
various resources (printing, file
storage (SMB), computing time,
proxy authentication, authorisation)
needs to be controlled for a
population of users, but where the
servers do not necessariyl know
about (or trust) the users.
- Campus network where access to
various resources (printing, file
storage (SMB), computing time,
proxy authentication, authorisation)
needs to be controlled for a
population of users, but where the
servers do not necessariyl know
about (or trust) the users.
- weaknesses
- availability
- Kerberos has a single point of failure at the
authentication server or the ticket granting server.
- Kerberos has a single point of failure at the
authentication server or the ticket granting server.
- scalability
- Kerberos systems can only scale to support as much as
the central authentication and/ or TGT servers can handle.
- Kerberos systems can only scale to support as much as
the central authentication and/ or TGT servers can handle.
- revocation
- Ticket granting tickets are good for 10
hours. If a ticket is compromised, there
is no mechanism to revoke the ticket.
- Ticket granting tickets are good for 10
hours. If a ticket is compromised, there
is no mechanism to revoke the ticket.
- time synchronization reliance
- Clocks on the network cannot be more than 5
minutes out of sync for Kerberos to work.
- Clocks on the network cannot be more than 5
minutes out of sync for Kerberos to work.
- TGT lifetime
- The relatively long life and the fixed structure of the
TGT opens the door for offline attacks to figure out the
encryption key. In Kerberos version 4, the encrpytion
algorithm was DES which can be compromised today.
- The relatively long life and the fixed structure of the
TGT opens the door for offline attacks to figure out the
encryption key. In Kerberos version 4, the encrpytion
algorithm was DES which can be compromised today.
- availability
- entities
- authentication server
- ticekt granting server
- client
- server
- authentication server
- ***Authentication and Key Exchange***
- HIGH LEVEL! For exam detail see shared notes!!
- User authenticates to authentication server (AS).
- AS sends a ticket granting ticket to
the ticket granting server (TGS).
- User forwards ticket granting ticket to TGS with a
request to access a different network server.
- TGS decrypts ticket granting ticket with key
shared between AS and TGS.
- TGS checks ticket for validity and correct timeframe.
- TGS sends a service granting ticket to user.
- User forwards service granting ticket to network server.
- Network server decrypts service granting ticket with
key shared between TGS and network server.
- If service granting ticket is valid and within the
correct timeframe, user is allowed access to server.
- If service granting ticket is valid and within the
correct timeframe, user is allowed access to server.
- Network server decrypts service granting ticket with
key shared between TGS and network server.
- User forwards service granting ticket to network server.
- TGS sends a service granting ticket to user.
- TGS checks ticket for validity and correct timeframe.
- TGS decrypts ticket granting ticket with key
shared between AS and TGS.
- User forwards ticket granting ticket to TGS with a
request to access a different network server.
- AS sends a ticket granting ticket to
the ticket granting server (TGS).
- HIGH LEVEL! For exam detail see shared notes!!
Want to create your own Mind Maps for free with GoConqr? Learn more.