Wednesday, August 4, 2021

Kerberos Version 4 | Kerberos version 4 using authentication and ticket granting server

 

What is Kerberos?

Kerberos: Kerberos is a network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Different Version of Kerberos Protocols

Figure : Different Version of Kerberos

Using Authentication Server (AS)


Step – 1: In this scenario, the user logs on to a workstation and requests access to server V. The client module C in the user’s workstation requests the user’s password and then sends a message to the AS that includes the user’s ID, the server’s ID, and the user’s password. The AS checks its database to see if the user has supplied the proper password for this user ID and whether this user is permitted access to server V. If both tests are passed, the AS accepts the user as authentic and must now convince the server that this user is authentic.

Step – 2: To do so, the AS creates a ticket that contains the user’s ID and network address and the server’s ID. This ticket is encrypted using the secret key shared by the AS and this server. This ticket is then sent back to C. Because the ticket is encrypted, it cannot be altered by C or by an opponent.

Step – 3: With this ticket, C can now apply to V (Server) for service. C sends a message to V containing C’s ID and the ticket. V decrypts the ticket and verifies that the user ID in the ticket is the same as the unencrypted user ID in the message. If these two matches, the server considers the user authenticated and grants the requested service.

Problems:

Problem – 1: Under this scheme, a user would need a new ticket for every different service. If a user wants to access a print server, a mail server, a file server, and so on, the first instance of each access would require a new ticket.

Problem – 2: In this scheme, password is transmitted without encryption. An eavesdropper could capture the password and use any service accessible to the victim.


Using Ticket Granting Server (TGS)

 


Step – 1: The client requests a ticket-granting ticket on behalf of the user by sending its user’s ID to the AS, together with the TGS ID, indicating a request to use the TGS service.

Step – 2: The AS responds with a ticket that is encrypted with a key that is derived from the user’s password (KC), which is already stored at the AS. When this response arrives at the client, the client prompts the user for his or her password, generates the key, and attempts to decrypt the incoming message. If the correct password is supplied, the ticket is successfully recovered. Thus, we have used the password to obtain credentials from Kerberos without having to transmit the password in plaintext. Here, the opponent may be able to reuse the ticket to spoof the TGS. To counter this, the ticket includes a timestamp, indicating the date and time at which the ticket was issued, and a lifetime, indicating the length of time for which the ticket is valid.

Step – 3: The client requests a service-granting ticket on behalf of the user. For this purpose, the client transmits a message to the TGS containing the user’s ID, the ID of the desired service, and the ticket-granting ticket.

Step – 4: The TGS decrypts the incoming ticket using Ktgs and verifies the success of the decryption by the presence of its ID. It checks to make sure that the lifetime has not expired. Then it compares the user ID and network address with the incoming information to authenticate the user. If the user is permitted access to the server V, the TGS issues a ticket to grant access to the requested service.

Step – 5: The client requests access to a service on behalf of the user. For this purpose, the client transmits a message to the server containing the user’s ID and the service-granting ticket. The server authenticates by using the contents of the ticket.


Problems

Problem – 1: A network service (the TGS or an application service) must be able to prove that the person using a ticket is the same person to whom that ticket was issued.

Problem – 2: There may be a requirement for servers to authenticate themselves to users. Without such authentication, the false server would then be in a position to act as a real server and capture any information from the user and deny the true service to the user.

 Solution

AS provides both the client and the TGS with a secret piece of information in a secure manner. Then the client can prove its identity to the TGS by revealing the secret information—again in a secure manner.  An efficient way of accomplishing this is to use an encryption key as the secure information; this is referred to as a session key in Kerberos.


To learn more about Kerberos Version 4, watch below video


Video : Kerberos Version 4

Watch more videos click here.


No comments:

Post a Comment