KERBEROS - material

Que:- Explain Kerberos in Detail or Write Short note on Kerberos

Ans:-

Three servers are involved in the Kerberos protocol: an authentication server

(AS), a ticket-granting server (TGS), and a real (data) server that provides services to

others. In our examples and figures Bob is the real server and Alice is the user requesting

service. Figure shows the relationship between these three servers.

o Authentication Server (AS)

· AS is the KDC (Key Distribution Centre) in Kerberos protocol.

· Each user registers with AS and is granted a user identity and a password.

· AS has a database with these identities and the corresponding passwords.

· AS verifies the user, issues a session key to be used between Alice (Client) and TGS, and sends a ticket for TGS.

o Ticket-Granting Server (TGS)

· TGS issues a ticket for the real server (Bob).

· It also provides the session key (KAB) between Alice (Client) and Bob (Server).

· Kerberos has separated the user verification from ticket issuing.

· In this way, although Alice (Client) verifies her ID just once with AS, she can contact TGS multiple times to obtain tickets for different real servers.

o Real Server

· The real server (Bob) provides services for the Client (Alice).

· Kerberos is designed for a client/server program such as FTP, in which a user uses the client process to access the server process.

· Kerberos is not used for person-to-person authentication.

OPERATION OF KERBEROS

A client process (Alice) can access a process running on the real server (Bob) in six steps as shown in Figure

o Step 1. Alice sends her request to AS in plaintext, using her registered identity.

o Step 2. AS sends a message encrypted with Alice's symmetric key KA- The message

contains two items: a session key Ks that is used by Alice to contact TGS and a

ticket for TGS that is encrypted with the TGS symmetric key KTG. Alice does not

know KA, but when the message arrives, she types her symmetric password. The

password and the appropriate algorithm together create KA if the password is correct.

The password is then immediately destroyed; it is not sent to the network, and it does

not stay in the terminal. It is only used for a moment to create KA- The process now

uses KA to decrypt the message sent. Both Ks and the ticket are extracted.

o Step 3. Alice now sends three items to TGS. The first is the ticket received from

AS. The second is the name of the real server (Bob), the third is a timestamp which

Is encrypted by Ks. The timestamp prevents a replay by Eve.

o Step 4. Now, TGS sends two tickets, each containing the session key between

Alice and Bob KAB. The ticket for Alice is encrypted with Ks; the ticket for Bob is

encrypted with Bob's key KB. Note that Eve cannot extract KAB because she does

not know Ks or KB. She cannot replay step 3 because she cannot replace the timestamp with a new one (she does not know KS)' Even if she is very quick and sends the step 3 message before the timestamp has expired, she still receives the same two tickets that she cannot decipher.

o Step 5. Alice sends Bob's ticket with the timestamp encrypted by KAB.

o Step 6. Bob confirms the receipt by adding 1 to the timestamp. The message is

encrypted with KAB and sent to Alice. Using Different Servers Note that if Alice needs to receive services from different servers, she need repeat only steps 3 to 6. The first two steps have verified Alice's identity and need not be repeated. Alice can ask TGS to issue tickets for multiple servers by repeating steps 3 to 6.

To Download

Please Click here:- KERBEROS