Kerberos Authentication Protocol Simulation

Course: CpE 597 B Advisor: Prof. Khaled Elleithy

Student: Nagendra Mallampati

Abstract:
Windows 2000 implements kerberos version 5 with extensions for publickey authentication.The kerberos client is implemented as a security provider through the Secutiry Service Provider Interface.Initial authentication is intergrated with winlogon single sign-on architecture.The Kerberos Distribution Center(KDC) is integrated with other windows 2000 security services running on the domain controller and uses the domains Active Directory as its security account database .

Goals of the Project:

To simulate the Kerberos Authentication Protocol using GSS-API. To show the different types of Security attacks in a GUI.

Figure used for Simulation:

Scenario in the figure:

User logs on to the work station and requests service on the host. AS verifies users access right in the database,creates TGT and session key.Results are encrypted using key derived from users password. Workstation prompts user for password and decrypts and sends ticket and authenticator to TGS.

Scenario contd:

TGS decrypts ticket and authenticator,verifies request and creates ticket for the requested server. Workstation sends ticket ticket and authenticator to server. Server verifies that ticket and authenticator match,then grants access to service.

What is Kerberos?

Network Authentication Protocol.

Developed at MIT in the mid 1980s. Available as open source or in supported commercial software.

How did Kerberos get its name?

The name "Kerberos" comes from a mythological three-headed dog that guarded the entrance to Hades. Invented by MIT, this form of security has been evolving in the Unix world for over a decade and is now becoming a standard .

Why Kerberos?

Sending usernames and passwords in the clear jeopardizes the security of the network.
Each time a password is sent in the clear,there is a chance of an security attack.

Types of Security Attacks:

Interception: an attack on confidentiality.

Interruption : an attack of availability.

Modification: an attack on integrity. Fabrication: an attack on authenticity.

Firewall Vs Kerberos ?

Firewalls make a risky assumption:that attackers come from outside.In reality,attacks frequently come from within.
Kerberos assumes that network connections(rather than servers and workstations)are the weak link in network security.

Design Requirements:

Interactions between hosts and clients should be encrypted. Must be convenient for users.
Protect against intercepted credentials.

How does Kerberos work?

Instead of client sending password to application server: -Request Ticket from authentication server. - Ticket and encrypted request sent to the application server. How to request tickets without repeatedly sending credentials? - Ticket Granting Ticket(TGT).

Terms used in Kerberos:

REALM: It could be termed as a ``group''. Machines will belong to this group. It has become almost standard procedure to make the realm the same as your domain name. KDC: the Kerberos Distribution Center , This is the machine that controls access. KEYTAB: a file that contains encrypted information allowing users/machines to authenticate themselves.

Limitations of Kerberos:

Scalability. Doesnt explicitly protect against Trojan attacks. Is mainly intended for single-user workstations. KDC can be a single point of failure.

Benefits of Kerberos Authentication:

More efficient authentication to servers Mutual authentication Delegated authentication Simplified trust management Interoperability

Applications of Kerberos:
The Kerberos V5 applications are versions of existing UNIX network programs with the Kerberos features added. telnet rlogin FTP rsh rcp ksu

GSS-API:

Provides the way for applications to protect data that is sent to peer applications. Enables application control over secutiry aspects. More portable as regards to Network Security.

Functions of GSS-API:

Creates a security context in which data can be passed btween apllications. Applies one or more types of protection,known as security services,to the data to be transmitted.

Screenshots of the Project:

-Without

Kerberos (Security Attacks) -With Kerberos.

Conclusions:
It can be concluded that kerberos, when intergrated with other parts of the system, can be made more useful . By implementing Kerberos in Windows 2000 the authentication process was extended.Kerberos is made a default authorization service for windows 2000 as it ensures a trustworthy authorization and more secure.

References:
Books:
Network Security Essentials- William Stallings. Websites: http://java.sun.com/j2se/1.4.1/docs/ http://www.ietf.org/rfc/rfc2853.txt http://www.windowsitlibrary.com/Content/617/06/3.html#5 http://mit.edu/kerberos/www/ http://www.labmice.net/Security/kerberos.htm http://portal.acm.org/dl.cfm