WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.2  Authentication

Previous Topic/Section
1.2  Authentication
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 1.2.2  Challenge Handshake Authentication Protocol (CHAP)
Next Topic/Section

1.2.1  Kerberos
(Page 2 of 2)

How Does Kerberos Authentication Work?



A complete explanation of the Kerberos protocol is beyond the scope of this book, but briefly, here’s a (very) simplified explanation as to how Kerberos authentication works.

A user authenticates himself when he logs into the network. He provides his user name, and the user workstation then connects to a special “ticket-granting service” on a specific network host called an Authentication Server (AS), for login verification. The AS issues the user a credential (encrypted with that user’s key, known by the server) called a “ticket.” The client machine holds on to this ticket, and uses it to demonstrate the user’s identity when requesting network services.

Authentication Server

The AS creates two session keys, which are temporary in duration, lasting only as long as that session lasts. One of the session keys (for the user’s connection with the ticket-granting service), and an expiration date, are included in the ticket. The AS retains the other session key. Distributing the keys in this manner allows both sides of the session to communicate with each other in a secure, encrypted fashion, if desired.


If the user supplies a valid password, the session key is used in later attempts to connect to network services – it is sent to the service as proof of the client’s identity, along with a special message called an “authenticator” (with information like the client name, IP address and current time). The service can then decide whether or not the user is authorized to use the service, based on their identity, and allow or disallow the connection attempt.

Optionally, mutual authentication can take place; with the server proving its identity to the client as well as the client proving its identity to the server (see section 1.2.7).

Kerberos assumes the use of a strong password, since it employs conventional encryption mechanisms. The Kerberos authentication mechanism uses an encrypted password.

According to the creator of Kerberos (MIT), various versions of Kerberos are vulnerable to buffer overflows and DoS attacks (section 1.4.1). Additionally, the Kerberos protocol is somewhat subject to “replay” attacks in which legitimate packets are captured and later “replayed” from an impostor’s machine, although this has been mitigated somewhat by the addition of timestamps to packets. Additionally, it is indirectly vulnerable to brute-force password guessing attacks.

Kerberos Assumptions

Kerberos includes some innovative solutions to problems posed by conventional symmetric cryptography. Kerberos assumes the use of a strong password since it uses a secret key and conventional symmetric encryption. However, it does not send the password over the wire.

Kerberos authentication uses session keys that are valid only as long as the session lasts.

It also uses tickets to avoid needing to re-authenticate the user each time they request access to a new network resource.

Kerberos can be vulnerable to buffer overflow, replay and brute-force password guessing attacks, and other issues57


Does it require any open router ports?

Kerberos uses TCP port 88 and UDP port 88. When performing authentication across a router boundary, you may need to open those ports on the router.



 __________________

57. http://www.eweek.com/article2/0,1759,1641643,00.asp?kc=EWRSS03119TX1K0000594

Previous Topic/Section
1.2  Authentication
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 1.2.2  Challenge Handshake Authentication Protocol (CHAP)
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.