Introduction to Kerberos and history

Kerberos

The Kerberos protocol is primarily used for the identification of computer networks (authentication), which is characterized by the ability for a user to enter authentication information to access multiple services (Ticket-granting ticket) with this authentication, which is SSO ( ON). Because a shared secret is established between each client and service, the protocol is quite secure.

conditions

First look at the prerequisites for the Kerberos protocol:

As shown in, the client and the KDC, the KDC and the service already have their own shared keys before the protocol works, and because the messages in the protocol fail to penetrate the firewall, these conditions limit the Kerberos protocol to be used internally within an organization, making its application scenario different from the.

Process
The Kerberos protocol consists of two parts:

1. The client sends its own identity to the KDC, and the KDC obtains the TGT from the Ticket Granting Service (Ticket-granting ticket), The TGT encryption is restored to the client using the key between the client and the KDC before the protocol begins.

Only the real client can use the key between it and the KDC to decrypt the encrypted TGT, thereby obtaining the TGT.

(This process avoids the client sending a password directly to the KDC in order to verify the unsafe way)

2. The client uses the previously obtained TGT to request the ticket of other service from the KDC, thereby identifying itself through the other service.

The focus of the Kerberos protocol is on the second part, as follows:

1. Client sends a previous TGT and service information to be requested (service name, etc.) to the ticket granting service in KDC,KDC to generate a session between the client and the service Key is used for service-to-client identification. The KDC then wraps the session key with the user name, user address (IP), service name, validity period, and timestamp into a ticket (which is ultimately used for service-to-client identification) to be sent to the service, However, the Kerberos protocol does not send ticket directly to the service, but to the service via the client. So there's a second step.

2. At this point the KDC forwards the ticket just to the client. Since this ticket is to be given to the service, it cannot be seen by the client, so the key between the KDC and the service before the KDC begins with the protocol will be ticket encrypted before sending to the client. Also in order to share the secret between the client and service (the KDC creates the session key for them in the first step), the KDC uses the key between the client and it to return session key encryption to the client with the encrypted ticket.

3. To complete the delivery of the ticket, the client forwards the ticket just received to the service. Because the client does not know the key between the KDC and the service, it cannot calculate the information in the ticket. At the same time, the client will receive the session key decrypted, and then the user name, user address (IP) package into authenticator with session key encryption also sent to the service.

4. After the service receives ticket, it uses the key between it and the KDC to decrypt the information in the ticket to obtain session key and user name, user address (IP), service name, and expiration date. Then use session key to decrypt the authenticator to obtain the user name, the user address (IP) with the user name decrypted in the previous ticket, user address (IP) to be compared to verify the identity of the client.

5. If the service has a return result, it is returned to the client.

Summary

To summarize, there are two main things that the Kerberos protocol does.

1. Safe delivery of ticket.

2. Security release of Session key.

Plus the use of time stamps to a large extent to ensure the security of user identification. and using session Key, the message passed between client and service after authentication can also obtain confidentiality (confidentiality), Integrity (integrity) guarantee. However, because the asymmetric key is not used naturally can not have anti-repudiation, which also limits its application. However, it is much simpler to implement than the identity authentication method of the single-to-small PKI.

HistoryMIT has developed the Kerberos protocol to protect the Web server provided by Project Athena. This protocol is named after the Greek myth of the character Kerberos (or Cerberus), a ferocious three-head guardian dog in Greek mythology, Hades. There are some versions of the agreement, and version 1-3 is only available at MIT. Steve Miller and Clifford Neuman, the main designer for Kerberos version 4, released this version at the end of 1980. This version is primarily for project Athena. Version 5, designed by John Kohl and Clifford Neuman, was enacted in 1993 as RFC 1510 (replaced by RFC 4120 in 2005) to overcome the limitations and security issues of version 4. MIT, in the case of copyright licensing, has produced a free implementation tool for Kerberos, which is similar to BSD. In 2007, MIT formed a Kerberos association to drive the continued development of Kerberos. Because of the use of the DES encryption algorithm (with a 56-bit key), the U.S. export control authorities classify Kerberos as munitions and prohibit its export. A non-US-designed implementation tool for Kerberos version 4, developed by the Royal Swedish Institute of Technology (KTH-KRB), allows the system to be used outside the United States before the U.S. Code for Export Regulation (2000) is changed. The Swedish implementation tool is based on a version called Ebones, while Ebones is based on the bones of the MIT external release of the Kerberos version 4-based patch 9 (skipping cryptographic formulas and function calls to them). This partly determines why Kerberos is not called the Ebones version. The Kerbberos version 5 Implementation tool, Heimdal, is basically published by the same group of people who released KTH-KRB. Windows2000 and subsequent operating systems both default Kerberos as their default authentication method. RFC 3244 records A number of Microsoft's additions to the Kerberos protocol package. RFC4757 "Microsoft Windows2000kerberos Change Password and set password protocol" records the use of Microsoft's RC4 password. Although Microsoft uses the Kerberos protocol, it does not use MIT software. Apple's Mac OS X also uses Kerberos's client and server versions. The Red Hat Enterprise Linux4 and subsequent operating systems use the Kerberos client and server versions. The Working Group for IETF Kerberos updated the specification in 2005, with recent updates including: "Encryption and checksumThe "(RFC 3961)" Advanced Encryption Algorithm (AES) encryption for Kerberos version 5 (RFC 3962) Kerberos version 5 describes the new version of the specification "Kerberos network authentication Service (version 5)" (RFC 4120). This version deprecated the previous RFC 1510, with a more granular and explicit explanation of the details of the protocol and how it is used. A new version of Gss-api "Kerberos version 5 Common security Services application software interaction mechanism: Version 2" (RFC 4121)  [1]

Introduction to Kerberos and history