StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

Network Security: Kerberos - Essay Example

Cite this document
Summary
"Network Security: Kerberos" paper focuses on a network-authenticated protocol developed by the Massachusetts institute of technology as a solution to network solution problems. It uses a secret key cryptography to provide a strong tool of authentication and strong cryptography over the network…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER97.9% of users find it useful

Extract of sample "Network Security: Kerberos"

Table of Contents…………………………….…………………………………..1 1.0 Introduction……………...………………………………………………...…..2 2.0 Authentication…………...………...…………………………………………..3 3.0 Use of session keys……………………………..………….…………..……4-5 4.0 Authentication exchange stages…………………..…..……….………… 6- 10 5.0 Differences between Kerberos 4and Kerberos 5…………….………………10 6.0 References………………..………………………………….……………….11 Introduction Kerberos is a network-authenticated protocol that was developed by Massachusetts institute of technology as a solution to network solution problems. It uses a secret key cryptography to provide strong tool of authentication and strong cryptography over the network to help the client secure the information systems and applications across the entire organisation. It uses a strong cryptography where a client can prove his or her identity to a server on an insecure network connection. Once the server and the client have proved their identity through Kerberos, they can now encrypt all of their communications to guarantee privacy of their data. David Mills, 2006. To use Kerberos in computer security systems, one must authenticate with a Kerberos server to gain access to the key server. To do this requires a Kerberos server on your network and a “Kerberized” version of key access. Users with Kerberos authentication server can authenticate users to key-servers. To gain access to a Kerberized key server, the users must type their known name and password, as kerberos server provides authentic services only. The ticket granting server must with no doubts ascertain that the authentication server identifies the client as the true client he purports to be. S.M. Bellovin 1989. Kerberos is designed such that its authentication protocol demands that there has to be a Kerberos client-side authentication module on each key access client and a server- side authentication module. Donald Knuth 1997. Authentication Kerberos security system uses key distribution center (KDC) to safeguard data and information from access to unauthorized users. A key distribution center is a part of a cryptosystem with symmetric encryption aimed at reducing the risks associated in exchanging keys. It operates in systems within which some users are permitted to use services at some times and not others. An operation with a key distribution center involves the user making a request to use a service, The key distribution center use cryptographic techniques to verify the authentication of the users and whether the user has permission to access to the service requested or not. The server verifies the submitted ticket and if the user meets all the required conditions He or She is permitted access. In most cases, the key distribution center shares a key with each of all the other parties and produces a ticket based on a server key which the client receives and submits it to the appropriate server. G. R. Blakley 1979 In Kerberos, authentication occurs between clients and servers. The client gets the service from the Kerberos service. The key distribution center implements the authentication service and the ticket granting service. The key distribution center maintains a copy of every password associated with every password associated with every principal and hence it is very important that the key distribution center be under tight security. Most key distribution center implementations keep the principals in a database, which is usually manipulated by an administration server. G. R. Blakley 1979. Time stamping entails provision of a sequence of characters showing the date and time at which an event occurred. The data is presented in a consistent manner allowing easy comparison of two different records and noting progress over time. It is usually used for logging events in which each event is marked with a timestamp. In key distribution center, the time server reads the actual time from a reference clock and distributes the information to the clients using a computer network. This can be done by use of Network Time Protocol (NTP). Y. Rekhter, R. Moskowitz, D. Karrenberg, G. de Groot, E. Lear. Kerberos allows user-to-user authentication application protocol, which allows user to host secure application services on their machines. User to user authentication allows a user to use a server without keeping a long- lived key on disk. The user instead uses user’s ticket granting service session key, which takes the place of the usual secret key in the server’s authentication. Mills, David L 2006. Use of Session Keys Secret sharing refers to any method of sharing a secret amongst a group of participants each of which is allocated a share of the secret. The secret is reconstructed only when the shares are combined together. In secret sharing, there is one server and several clients. The server gives a secret to the clients only when specific conditions are fulfilled. The server does this by giving each player a part, in such a way that only a group of clients can together reconstruct the secret but not a few of them. A secret sharing scheme can be used to secure a secret over multiple servers and remain recoverable even with multiple server failures. Where large secrets are used, it is more worthwhile to encrypt the secrets and then distribute the keys using secret sharing. Adi Shamir 1979. In any communication network that requires security, it is very important that secrets be protected by use of many keys. Generally, a system of a number of keys can be combined in a numerous ways may allow for the recovery of a unique secrets despite how they are combined. Schemes that have a group of participants who can recover a secret are known as secret sharing schemes. The idea of a secret sharing starts with a secret, dived into pieces called shares, and then distributes the shares amongst users. Only certain authorized groups can reconstruct the original secret. A secret sharing scheme is a method whereby a number of pieces of information called shadows are assigned to a secret key in such a way that the secret way can be reconstructed from certain authorized groups of shares and the secret key can not be reconstructed from authorized group of shares. G. R. Blakley 1979. Kerberos authentication occurs between a client and server. The client obtains a ticket from the server and the server decrypts this ticket using its secret key. To prevent crackers from assessing the secret key, user-to-user authentication may be used. In this protocol, one user acts as a server, and the other user acts as a client. With the client user’s demand, the server sends ticket-granting ticket (TGT) to the client user who gets recommendation from the key distribution center, encrypted with the session keys of both ticket granting ticket. The two users can now decrypt the new session key and use it to confirm each other’s identity. The user-to-user scheme has a security advantage in that, the server user exposes only the ticket granting server (TGS) session key, and keeps the password safe. Donald Knuth 1997 Kerberos authentication process can be divided into four major stages before the server clearly authenticates that the client is who he claims to be and hence they can share the encryption key for secure communication. The stages are the authentication exchange stage, ticket granting service exchange, client server exchange and the secure communication stage. The stages are explained below. Stage 1 Authentication exchange The client to be authenticated asks the authenticating server to send a ticket to the ticket-granting server. The authenticating server searches for the client in the database. Once confirmed, it generates a session key (SK1) to be used between the client and the ticket-granting server. The kerberos encrypts the service key 1 using the client’s secret key. The authenticating server uses the ticket granting server secret key, which is only known to the authentication server and the ticket-granting server to create and send to the client, a ticket granting ticket. Mills, David L 2006 Stage 2 Ticket granting service exchange When the clients receives the ticket granting ticket it decrypts the message and recovers the session key, which it uses to create an authenticator containing the users IP address, his name and a time stamp. It sends the authenticator together with the ticket granting ticket to the ticket-granting server. This is to request access to the target server. Once the ticket granting server decrypts the ticket granting ticket, it uses the session key1inside the ticket granting ticket to decrypt the authenticator. The ticket granting server verifies the information in the authenticator, the client’s network address, the ticket and the timestamp whether they match. If they match, it creates a new session key 2 for the client service server. It encrypts it using session key1 and then sends it to the client. The ticket granting service encrypts the target server’s secret key and the name of the server, with a new ticket containing the clients name the network address, the time stamp and the expiration time for the ticket. Mills, David L 2006. Stage 3 Client server exchange Once the client gets the session key 2, it decrypts the message and sends it to the target server. The client creates a new authenticator encrypted with SK2 .It then sends the session ticket and the encrypted authenticator. This proves that the client knows the key. The encrypted time stamp prevents the recording of both ticket and the authenticator from being recorded .The target server decrypts and checks for application that requires two-way authentication. To prove to the client that the sever knows its own secret key, the server sends it a message containing time stamp plus1 encrypted with SK2. Mills, David L 2006. Stage 4 Session key 2 Secure communications. At this point, the target server is now convinced of the authentication of the client and that the client is the intended one. The target server and the client can now share an encryption key. They now both assume that any message encrypted in that key comes from the other party. S. P. Meyn, 2007. A session key is a temporary one- off symmetric key used to encrypt a message or data for the current session only. Session keys keep the secret keys more secret as they are not directly used in encrypting the data. They are used to derive session keys using methods that join arbitrary numbers from either the client or the server or both. They bring in complications in an encrypting system. The cryptanalytic attacks are made easier as more materials encrypted with a definite key are available. This limit the materials processed using a single key, making the attack more difficulty. The keys are usually distributed securely before encryption can be used. This makes them faster for practical encrypting. Adi Shamir 1979. Session keys must be randomly chosen to make it hard to be predicted by an attacker. Ticket granting ticket is a Kerberos ticket for the ticket granting service. When a user first authenticates to Kerberos, he or she talks to the authentication service on the key-distributing center to get a ticket granting ticket, which is usually encrypted with the user’s password. When the user wants to use the service, He or She uses ticket-granting ticket to talk to the ticket granting service, which runs on the key distribution center. The ticket granting service verifies the true user’s identity using the ticket granting Ticket and issues a ticket for desired service. Ticket Granting Ticket assists the user in that he or she doesn’t have to enter in their passwords every time they want to connect to a kerberized service or keep a copy of their password. Adi Shamir 1979. Differences between Kerberos 4 and Kerberos 5 Kerberos 4 authentication system however had some limitations. These limitations had to be overcome if a good authentication system was to be developed. This fact necessitated the development of Kerberos 5. Kerberos 5 was developed with adjustments that were supposed to address Kerberos 4 weaknesses. The major difference is that in Kerberos 4, the instance separator is a period (.) while in kerberos 5 a forward slash (/) is used. In Kerberos 4 the entire principal name is not used. In kerberos 5, the key salt algorithm has been changed to use the entire host name. The network protocol has been revised to use ASN.1 process of encoding. G. R. Blakley, 1979. In Kerberos 5, it is now possible to forward, renew and postdate tickets. It is now possible for tickets to contain multiple IP addresses and for different types of networking protocols unlike in Kerberos 4. Kerberos 5 does not support replay caches and hence authenticators cannot replay. In Kerberos 5, a generic crypto interface module is used and so it can support other encryption algorithms beside DES. Donald Knuth 1997. References David Mills, 2006-04-26 Digital Systems Seminar presentation University of Delaware Mills, David L. Computer Network Time Synchronization: Taylor & Francis The Network Time Protocol, CRC Press. ISBN 0849358051 G. R. Blakley, "Safeguarding cryptographic keys", in proceedings of the National Computer Conference, 48, pp 313–317, 1979. Adi Shamir, "How to share a secret", Communications of the ACM, 22(1), pp612–613, 1979 [1]. Donald Knuth. The Art of Computer Programming, Volume 2: Seminumerical Algorithms, Third Edition. Addison-Wesley, 1997. ISBN 0-201-89684-2. S.M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989. Y. Rekhter, R. Moskowitz, D. Karrenberg, G. de Groot, E. Lear, ``Address Allocation for Private Internets.'' RFC 1918. S. P. Meyn, 2007. Control Techniques for Complex Networks, Cambridge University Press, 2007. Read More
Tags
Cite this document
  • APA
  • MLA
  • CHICAGO
(Network Security Example | Topics and Well Written Essays - 2206 words, n.d.)
Network Security Example | Topics and Well Written Essays - 2206 words. https://studentshare.org/logic-programming/2042962-network-security
(Network Security Example | Topics and Well Written Essays - 2206 Words)
Network Security Example | Topics and Well Written Essays - 2206 Words. https://studentshare.org/logic-programming/2042962-network-security.
“Network Security Example | Topics and Well Written Essays - 2206 Words”. https://studentshare.org/logic-programming/2042962-network-security.
  • Cited: 0 times

CHECK THESE SAMPLES OF Network Security: Kerberos

Practical UNIX Security LDAP

Moreover, it also solidifies network security by integrating role-based access and Kereberized authentication.... This essay " Practical UNIX Security LDAP" discusses the support for multiple platforms, access control list, auditing along strong kerberos security makes LDAP server the best choice, to deploy in a multi-platform network environment.... A comprehensive definition of LDAP is defined as 'Lightweight Directory Access Protocol, a protocol which helps find people, computers, and other resources on a network....
7 Pages (1750 words) Essay

Internet Security Issues

The paper "Internet security Issues" discussed ethical issues of information systems connected on the Internet, session key protocols attacks and defense, simple distributed security infrastructure, group memberships & certificates, pros and cons of implementing cryptographic protocols, etc....
11 Pages (2750 words) Term Paper

Information Security Management Frameworks

These include performance logs and network security.... Instructor Date Comparisons of two Information security Management Frameworks The purpose of this program plan is to outline an efficient framework that will guide the health care industry in enhancing their cyber security and obtaining an appropriate but cost effective insurance cover.... It defines essential elements of effective information security program without infringing the borders of law and other regulations governing it....
4 Pages (1000 words) Essay

Network and Internet Security

he above encryption techniques can be used in the following protocols and/ or products: kerberos V4, kerberos V5 and Secure Socket Layer (SSL).... kerberos is a network authentication protocol that is used in a bid to provide security for both the client and the server through the use of the secret-key cryptography.... kerberos also depends entirely on the KDC so as to ensure secure communication between the hosts.... This essay deals with the issue of network and Internet security....
6 Pages (1500 words) Essay

Network and Internet Security

The kerberos protocol is planned to present steadfast verification over open and unprotected networks where communications linking the hosts belonging to it may temper.... evertheless, one should be aware that kerberos does not grant any guarantees if the machines in use are susceptible: the validation servers, submission servers, and customers must be kept continuously updated so that the legitimacy of the requesting users and suppliers can be guaranteed.... kerberos protocol endeavors to avert the client's password from being maintained in its unencrypted mode, even in the verification server database....
5 Pages (1250 words) Essay

Encryption Keys Used to Ensure Secure Communication Sessions

kerberos v4 are useful in verifying users at work places who would wish to access services within a network.... Session keys use in kerberos would restrict access only to identified and authorized users and would accurately authenticate requests for uses.... These authentication procedures make the use of session keys become very relevant in kerberos.... According to De & Yung (2006, 127), session keys help enhance security of a system in cases where two parties have an encrypted connections to third party....
3 Pages (750 words) Essay

Cryptographic Protocols: Kerberos and IPSec

Table of ContentIPSec ProtocolIPSec Sub-protocols IPSec Modes IPSec security kerberos ProtocolRealmClient-based LogonClient Authentication Limitations of KerberosConclusionReferencesIPSec ProtocolIPSec protocol has been designed to provide integrity, verification or authentication, and confidentiality in a network.... Some sites will use firewalls to provide network security.... When an individual makes a security decision, he/she might wonder whether to use kerberos or IPSec for encryption and authentication....
6 Pages (1500 words) Assignment

Net Work Security: Kerberos and Key Management

"Net Work Security: kerberos and Key Management" paper focuses on kerberos which is among the first protocols that were widely used for authentication and also possessed the delegation property.... kerberos is usually embedded in windows 2000 as a default for its authentication.... If summed the kerberos stands for two entities that want to have services and a third which mediates.... How time stamp works before the time stamp starts performing, kerberos grants a TGT to a client after accessing and checking the user name and password, whether they are the same: they get it from information stored in the KDC database....
18 Pages (4500 words) Essay
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us