Abstract :
Kerberos is
a security system that helps prevent people from stealing information that gets
sent across the wires from one computer to another. Usually, these people are
after your password.
The name "Kerberos"
comes from the mythological three-headed dog whose duty it was to guard the entrance
to the underworld. The Kerberos security system, on the other hand, guards electronic transmissions that get sent across
the Internet. It does this by scrambling the information -- encrypting it -so that only
the computer that's supposed to receive the information can unscramble it. In addition,
it makes sure that your password itself never gets sent across the wire: only a
scrambled "key" to your password.
Kerberos is
necessary because there are people who know how to tap the lines between computers
and listen for your password. They do this with programs called "sniffers",
and the only way to stop them would be to physically guard every inch of the Internet
... computers, cables and all. This, of course, is impossible. As long
as there are physically insecure networks
in the world, we'll need something like Kerberos to maintain the integrity and security
of our electronic communications.
The problem
that the Kerberos addresses is this: Assume an open distributed environment in which
users at workstations wish to access services on servers distributed throughout
the network. We would like for servers to restrict access to authorized users and
to be able to authenticate requests for service. In this environment, a work station
cannot be trusted to identify its users correctly to network services. In particular,
the following three threats exist:
A user may gain access to a particular
workstation and pretend to be another user operating from that workstation.
A user may alter the network address of
a workstation so that the requests sent from the altered workstation appear to come
from the
impersonated
workstation.
A user may eavesdrop on exchanges and use
a reply attack to gain entrance to a server or to disrupt operations.
In any of these
cases, an unauthorized user may be able to gain access to services and data that
he or she is not authorized to access. Rather than building in elaborate authentication
protocols at each server, Kerberos provides
a
centralized authentication server whose function is to authenticate users to servers and servers
to users. Unlike most other authentication schemes, Kerberos relies exclusively
on symmetric encryption, making no use of public -key encryption.
Benefits of
using Kerberos
Nothing is easier
today than to catch credentials over a network. If we try to run a sniffer in our
environment we will see that we certainly
get a login/password combination within a few minutes. This could lead to an unauthorized
use of our network services and would certainly compromise all data present in our
environment; even protected confidential data, as most users are using only one
password for every application. Authentication is critical to security. Too many
applications use a weak authentication mechanism, like clear text passwords or,
even worse, rely on the “honesty” of client applications, known as authentication
by assertion. However, it is not the primary role of an application to manage security.
Consider a mail server: its role is to deliver email messages over the network to
the appropriate recipients, but not to verify the user’s identity! This is where
Kerberos comes in. It has the advantage to manage secure authentication from a central
location, and for many applications. For each application that requires this service,
it is a reliable, simple and easy to manage solution to use Kerberos. Furthermore,
it unloads application servers from this time consuming authentication task and
allows concentrating on their primary function.
Motivation
If a set of
users is provided with dedicated personal computers that have no network connections,
then a user’s resources and files can be protected by physically securing each personal
computer. When these users are served by a central time sharing system, the time
sharing operation must provide the security. The operating system can enforce access
control policies based on user identity and use the logon procedure to identify
users. Today, neither
of these scenarios is typical. More common is a distributed architecture consisting
of dedicated user work stations (clients)
and distributed
or centralized servers. In this environment, three approaches
of security
can be envisioned:
1. Rely on each individual client workstations to
assure the identity of its user or users and rely on each server to enforce a security
policy based on user identification (ID).
2. Requires that client systems authenticate
themselves to servers, but trust the client system concerning the identity of the
user.
3. Requires the user to prove identity fro each service
invoked. Also requires that severs prove their identity to clients.
In a small,
closed environment, in which all systems are owned and operated by a single organization,
the first or perhaps the second strategy may suffice. But in a more open environment,
in which network connections to other machines are supported, the third approach
is needed to protect user information and resources housed by the server. The third
approach is supported b Kerberos. Kerberos assumes distributed
client/server architecture and employs one or more Kerberos servers to provide
an authentication service.
The first published
report on Kerberos [STEI88] listed the following requirements for Kerberos:
Secure: A network eavesdropper should not
be able to obtain the necessary information to impersonate a user. More generally, Kerberos should be strong enough that
a potential opponent does not find it to be the weak link.
Reliable: For all the services that rely
on Kerberos for access control, lack of availability of the Kerberos service means
lack of availability
of the supported
services. Hence, Kerberos should be highly
reliable
and should employ
distributed server architecture, with one system able to back up another.
Transparent: Ideally, the user should not be aware that authentication
is taking place, beyond the requirement to enter a password.
Scalable: The system should be capable
of supporting large number of clients
and servers. This suggests a modular, distributed architecture.
Download :
Download :