Académique Documents
Professionnel Documents
Culture Documents
Ticket-Granting Server
Daje dozvolu korisniku za pristup servisima u
mrežnom okruženju.
Ticket
Granting
XYZ Servis Koristi se termin “Kerberos Service
Server”
Key
Distribution
Center
Authen-
Tication
Service
Desktop
računar
Korisnik A Korisnika A
Ticket
Granting
XYZ Servis Predstavlja resurs koji Service
zahteva Kerberos
autentikaciju (web
server, ftp server, ssh Key
server, itd…) Distribution
Center
Authen-
Tication
Service
Desktop
računar
Korisnik A Korisnika A
Ticket
Granting
XYZ Service Service
Key
“Tražim dozvolu da Distribution
dobijem ticket sa Ticket Center
Granting Server“.
Authen-
Tication
Service
Desktop
računar
Korisnik A Korisnika A
Ticket
Granting
XYZ Service Service
“U redu. Zaključao sam dati
paket sa tvojom lozinkom.
Ukoliko ga otključaš, možeš da
Key
koristiš njegov sadržaj da bi
Distribution
pristupio Ticket Granting
Center
Service.”
Authen-
Tication
Service
Desktop
računar
Korisnik A Korisnika A
Ticket
Granting
XYZ Service Service
Key
Distribution
Center
Authen-
Tication
TGT Service
Desktop
računar
Korisnik A Korisnika A
Nakon što Korisnik A otvori paket (dešifruje
poruku) dobijenu od Authentication Service,
TGT on pristupa “Ticket-Granting Ticket”.
Key
Distribution
Center
Authen-
TGT Tication
TGT
Service
Desktop
računar
Korisnik A Korisnika A
XYZ:
Korisnik A is Korisnik A. Ticket
POTVRĐUJE: TGS
Granting
XYZ Service Service
Ti si korisnik A.
Šaljem ti ticket
Key
Distribution
Center
Authen-
Tication
TGT
Service
Desktop
računar
Korisnik A Korisnika A
Ticket
Granting
XYZ Service Ja sam korisnik A. Service
Ovde je kopija service
ticket-a za XYZ.
Key
Distribution
Center
Authen-
XYZ:
XYZ: Tication
Korisnik A je
Korisnik A je TGT
Korisnik A.
Korisnik
POTVRĐUJE: TGS A. Service
POTVRĐUJE: TGS
Desktop
računar
Korisnik A Korisnika A
To je Korisnik A. Potrebno je
da utvrdi da li je autorizovan
Ticket
da koristi resurse.
Granting
XYZ Service Service
XYZ:
Korisnik A je Korisnik A. Key
POTVRĐUJE: TGS Distribution
Center
Authen-
XYZ:
Tication
Korisnik A je Korisnik A. TGT
POTVRĐUJE: TGS Service
Desktop
računar
Korisnik A Korisnika A
Provera autorizacije realizuje XYZ service…
Authen-
XYZ:
Korisnik A XYZ: Tication
Korisnik A is Korisnik TGT
is Korisnik A.
POTVRUJE: TGS A. Service
POTVRUJE: TGS
Desktop
računar
Korisnik A Korisnika A
Ponovni pristup Korisnik A…
Provera da li je Korisnik A
autorizovan za pristup Ticket
resursima. Granting
XYZ Service Service
XYZ:
Korisnik A je Korisnik A. Key
POTVRĐUJE: TGS Distribution
Center
Authen-
XYZ:
Tication
TGT
Korisnik A je Korisnik A.
POTVRĐUJE: TGS Service
Desktop
računar
Korisnik A Korisnika A
Overview of Kerberos
Kerberos Terms & Abbreviation
• Kerberos realm consists of
– a Kerberos server
• Authentication Server (AS)
• Ticket Granting Server (TGS)
– Users and servers that are registered with Kerberos
server
• Uses ticket
– Ticket granting Ticket, TGT (issued by AS for user to
request for service ticket from TGS)
– Service Ticket (issued by TGS for user to use service
from server)
How Does it Work?
• Initial Authentication
– 1. Authenticate
– 2. Receive TGT
• Using TGT
– 3. Request Service Ticket
– 4. Receive Service Ticket
– 5. Get Service
How Does it Work?
Kerberos 4
Kerberos 5
Note
• Authentication is by password
• User’s password is never transmitted
• User’s knows their own password & Kerberos
Server has a copy stored in it’s database in
encrypted form
• Password is used to encrypt the Ticket Granting
Ticket to secure from eavesdropper.
Kerberos Version 5
• Better user-server authentication
– Separate subkey for each user-server session instead
of reusing the session key contained in the ticket
– Authentication via subkeys, not timestamp increments
• Authentication forwarding (delegation)
– Servers can access other servers on user’s behalf,
e.g., can tell printer to fetch email
• Realm hierarchies for inter-realm authentication
• Explicit integrity checking + standard CBC mode
• Multiple encryption schemes, not just DES
Why the Change?
• Kerberos 4 was designed to minimize the
amount of time the user’s password is stored on
the workstation. Kerberos server doesn’t check if
user is who he says he is.
• Attacker can intercept the encrypted TGT and
mount a dictionary attack to guess the
password.
• Kerberos 5 is more secure. Kerberos server
makes sure that user’s password is valid before
sending the TGT back to the user.
What is Ticket Granting Ticket
• A block of data that contains:
– Session key : Kses
– Ticket for TGS which is encrypted with both the
session key and the Ticket Granting Server’s Key
Ktgs{Kses{Ttgs}}
• User’s workstation can now contact the
Kerberos TGS to obtain tickets for any services
within the Kerberos realm.
Using the Ticket Granting Ticket