designing an authentication system kerberos; mans best three-headed friend?
TRANSCRIPT
![Page 1: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/1.jpg)
Designing an Authentication System
Kerberos; man’s best
three-headed friend?
![Page 2: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/2.jpg)
What is Kerberos?
• Kerberos is a network authentication protocol.
• It’s also the name of the three-headed dog in Greek mythology.
• Yes, it really is spelt with a ‘K’.
• Questions? No? Good.
![Page 3: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/3.jpg)
Background
Early 1980s:• Timesharing via dumb
terminals• Central processing
and storage• Crap for games
![Page 4: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/4.jpg)
Solution?
• Replace terminals with workstations
• Network all the machines
• Use servers for storage and services
![Page 5: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/5.jpg)
Eek! Security!
Problem:
• How does the server know who you are?
• Authentication by assertion?
Solution:
• Add username & password verification
![Page 6: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/6.jpg)
Multi-password badness
Problem:
• Changing your password
• Password stored in multiple locations
• Just remembering the damn thing
Sounds like we need a network authentication protocol -)
![Page 7: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/7.jpg)
No, it’s not ‘Sharon’
Here’s where it starts to get clever:
• Users have passwords
• Services have passwords
• There’s an auth service that knows all passwords.
• We’ll call it charon
![Page 8: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/8.jpg)
Charon: first draft
• Alice wants her mail.• She asks charon for a
ticket.• Charon encrypts her
username as ticket.• Alice hands ticket to
mail service.
![Page 9: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/9.jpg)
Username squiggle?
The ticket currently contains:
Problem:• How does the service
know if it’s decrypted the ticket properly?
Solution:• Fix the ticket
![Page 10: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/10.jpg)
Stop, thief!
Problem:• What’s to stop someone stealing your ticket?
Solution:• Add another field to the ticket
![Page 11: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/11.jpg)
But I already typed it in…!
Problem:
• We have to enter our password once per service
Solution:
• We add a ticket-granting service, we’ll call it bob.
![Page 12: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/12.jpg)
Bob? Eh?
Here’s how it works:• You request a ticket
from charon for bob.• You can now repeat
steps 2&3 for as many services as you like.
• This ticket is called the ticket-granting ticket. Catchy eh?
![Page 13: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/13.jpg)
I saw that!
Problem:• The password is still
being sent in plain text. Eek.
Solution:• Tweak more stuff.
![Page 14: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/14.jpg)
Thievery, again
Problem:• Someone can steal your ticket, and fake your
username and address after you’ve fled home.
Solution:• Add an expiry time to the ticket.
![Page 15: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/15.jpg)
T’was nae me, officer
Problem:• Someone could use
your ticket before it expires.
Well, let’s look at what’s happening.
![Page 16: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/16.jpg)
It honestly wasn’t
Solution:• Add a session key.• Charon creates a random password for the
session and adds it to the reply.
![Page 17: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/17.jpg)
So, um, how’s this work?
Like this:
• Alice sends 2 things to the mail service:– The service ticket– Her username and address, encrypted with
the session key (a.k.a., the authenticator)
![Page 18: Designing an Authentication System Kerberos; mans best three-headed friend?](https://reader036.vdocuments.mx/reader036/viewer/2022062312/551a1c4c550346862c8b457c/html5/thumbnails/18.jpg)
And that’s pretty much it, folks.
My thanks to Bill Bryant
This
Man
Needs
Sleep
Notes to self: replay, bones, lanman, agnosticism, forwarding, mutual auth