BY Ajinkya Patil KERBEROS AUTHENTICATION PROCESS
Dec 08, 2014
BYAjinkya Patil
KERBEROS AUTHENTICATION PROCESS
Authentication Process
1. Request TGT
2. TGT
3. Request Service Ticket
4. Service Ticket Sent
5. Service Ticket Presented6. Telnet Communication Channel
KEY
D
ISTR
IBU
TIO
N
CEN
TER
AS
TGS
SER
VIC
E
SER
VER
CLIENT MACHINE
Step I (Request TGT)
Client Machin
eAS
• Client enters the credentials User ID and Password
• Client Machine performs a Hash Function on PASSWORD.
Clear text USER ID
• Client sends User ID to the AS (Authentication Server) in clear-text.
Step II (TGT sent)
Client/TGS
Session key.
Message A
• AS creates the Hash of PASSWORD (SECRET KEY).• AS sends 2 messages to client machine:• Message A:
Encrypted by SECRET KEY
• Message B:
• Client ID• Client network address• Validity period• Client/TGS Session Key
Ticket Granting
Ticket (TGT)
Step II continued
• TGS sends Message A & B to Client.• Client Machine is able to decrypt the Messages
A only if SECRET KEY (password) is correct.
• Client machine has Client/ TGS session Key.
• Client cannot decrypt the Message B.
TGT Message BEncrypted by TGS SECRET KEY
• TGT encrypted using TGS secret key.
Step III (Service Ticket Request)
• Message C: (Message B & service ID)
• Message D:
Authenticator Message DEncrypted using Client /TGS
session key
• Message D consist of encrypted Authenticator using Client/TGS Session Key.
• Client ID• Timestamp
Authenticator
*Decryption at TGS
• TGS decrypts Message B from Message C by using TGS SECRET KEY.
Message B
Client/ TGS
session key
Decrypted using TGS secret key
• TGS decrypts Message D using Client/TGS session key.
Message D Authenticator
Decrypted using Client/TGS session key
Step IV (Service Ticket sent)
• TGS sends Service Ticket that consist of 2 messages• Message E:
• Client/server session key
Client/server session
key
• Client ID• Client network address• Validity period• Client/Server Session Key
Client-to-Server Ticket
• Message F:
Step IV continued
• Message E consist of encrypted Client-to-server Ticket using Service Secret Key.
Client-to-Server Ticket
Message E
Encrypted using service secret
key
• Message F consist of encrypted Client-to-server session keyClient-
server session key
Message F
Encrypted using Client/TGS session key
• Message E & F is sent by TGS to Client Machine.
Step V (Service Request)
• Message E: (Above)
•Client ID•Timestamp
New autehnticator
• Message G:
New Authentica
tor
Message G
Encrypted using client/server session key
• Message G consist of encrypted New Authenticator using Client/Server Session Key.
Step VI (Conformation)
• SS decrypts the Message E using its SECRET KEY.
Message E
Client/Server
session key
Decrypted using server
secret key
• Message G is decrypted using client/server session key.
Message G
Authenticator
Decrypted using
client/server session key
Step VI continued
• SS sends Message H encrypted using client/server session key to client as conformation.
Timestamp + 1
Message H
Encrypted using client/server session key
• Client recieves the conformation.• Client request the service and server provides
it.
Message H
Timestamp + 1
Decrypted using
client/server session key
THANK YOU