ࡱ> -/,7 bjbjUU "7|7|lvvvvvvv8  VXXXXXX$ ||-v|XvvXXX^vvVXVXXVvvV kZVV0VwjwVXvvvvKerberos Protocol V 5 What is Kerberos? Kerberos is an authentication protocol used in Client/Server and Peer-to-Peer Network Architectures. In an unprotected network environment a client can request any service from any server. This creates vulnerabilities for Modification and Fabrication Security Attacks. Servers need to authenticate and confirm the identity of each client. This process creates a great load on the server. Kerberos protocol uses an authentication server (AS) that stores passwords of all users in a centralized database. In Microsofts case, this would be the Domain Controller. (need to check that, its either DC or Active Directory). Authentication Server shares a secret key with each server. These keys are usually distributed using Diffie-Hellman key exchange protocol. The process of validation is described in the next paragraph. A client types in the password in the beginning of the logon session to be validated. This password is sent to Authentication Server among with workstation ID and a server ID. When the password is matched correctly with the centralized database on the Authentication Server and the users permissions have been checked to see his access rights to the server, a ticket is created containing users ID, users network address, and servers ID. This ticket is then encrypted using (3DES, Blowfish) a symmetric encryption scheme with a secret key that is shared between AS and the server. The ticket is then sent back to the client and now the client can apply for service to the server. The client sends the ticket with the clients ID to the server and if validated the service is started between the client and the service. In order not to make the user type in the password every time he wants to use the service, the tickets must be reusable. We introduce a concept of a Ticket Granting Server (TGS) that will allow us to reuse the tickets and to get rid of plaintext transmission of the password to the Authentication Server. The eavesdropper can capture the password and use any service accessible to the client. The current protocol is described quite well in the RFC1510 and could be found on this site  HYPERLINK "http://www.ietf.org/rfc/rfc1510.txt" http://www.ietf.org/rfc/rfc1510.txt.     A!TGS: A, B TGS!A: {TTGS, L, KAB, B, {TTGS, L, KAB, A}KB,TGS}KA,TGS A!B: {TTGS, L, KAB, A}KB,TGS, {A,TA}KAB B!A:{TA+1}KAB *6]os } b d f  &26@JN\jp|H*0JjU jU56 5CJaJ5)_ F \d`d  1h/ =!"#$%DyK $http://www.ietf.org/rfc/rfc1510.txtyK Hhttp://www.ietf.org/rfc/rfc1510.txt i8@8 NormalCJ_HaJmH sH tH <A@< Default Paragraph Font,@, Header  !, , Footer  !.U@. Hyperlink >*B*ph@"@  Balloon TextCJOJQJ^JaJh    h Xf i ]a % B J Y [ f i 33333V d f i tadepojurC:\Documents and Settings\tadepoju\My Documents\Dev\SEWP Security Center Web Site\Kerberos Protocol Simplified.doc@^( h p@p pUnknownGz Times New Roman5Symbol3& z Arial5& zaTahoma"0htftfHOR!02HPKerberos Protocol V 5 Ilya BurdmantadepojuOh+'0 $ @ L Xdlt|Kerberos Protocol V 59erb Ilya BurdmanocolyalyaNormalr tadepojuman2deMicrosoft Word 9.0 @F#@+k@+kHO՜.+,D՜.+,H hp   NASA/SEWPw Kerberos Protocol V 5 Title 8@ _PID_HLINKSA*<$http://www.ietf.org/rfc/rfc1510.txt  !"#%&'()*+.Root Entry Fm k0Data  1TableWordDocument"SummaryInformation(DocumentSummaryInformation8$CompObjjObjectPoolm km k  FMicrosoft Word Document MSWordDocWord.Document.89q