[ Team LiB ] [ Team LiB ]

2.5 Putting the Pieces Together

Now that weve covered the basic topics that youll need to understand Kerberos, lets begin to put all of these pieces together by examining the credential cache above. Inside the credential cache, I have obtained an initial Ticket Granting Ticket through the Authentication Server this is the first ticket out of three. By logging into this system, the system created this credential cache and obtained a TGT for me. During my log in session, I also logged into a host called cfs.wedgie.org, which has a Kerberized telnet daemon running on it. Because I was using Kerberos authentication, I was able to log into cfs without typing a password; instead, my telnet client obtained a service principal from the Ticket Granting Server, and used that ticket to contact the Kerberized telnet on cfs. Later, I did the same, except this time I logged into web.wedgie.org. During this time, after logging in to three machines including my initial authentication to Kerberos, I have only typed in my password once. The Kerberos software requested, generated, and sent tickets on my behalf as necessary to transparently authenticate me to the other machines as I accessed them. As a user, all of this happens behind the scenes. Now well peel back the curtain, and uncover the magic that occurs behind the scenes. [ Team LiB ] [ Team LiB ]

Chapter 3. Protocols

The previous two chapters introduced the major concepts that underlie the Kerberos authentication system, and presented a short, high-level discussion of how Kerberos performs its magic. This chapter continues that discussion by drilling down into the nitty-gritty of the Kerberos protocol and presenting it on a fundamental level. Creating a protocol that verifies the identity of two endpoints on a network given an underlying network that provides no security is a daunting task. Kerberos was designed under the assumption that attackers can read, copy, and create network traffic at will. As you now know, there are two versions of Kerberos that are currently in wide usage: Kerberos 4 and Kerberos 5. This chapter covers the protocol details of both. While the concepts and protocol design of both Kerberos 4 and 5 are very similar, there are major differences between their byte-level protocol and implementation. The original Kerberos 4 protocol was never published apart from the Kerberos 4 source distribution. As such, the Kerberos 4 source code from MIT is the only official documentation of the Kerberos 4 protocol. On the other hand, the newer Kerberos 5 protocol is extensively documented in RFC 1510, and also through a series of documents that are collectively known as the Kerberos Clarifications. The basic operation of Kerberos is based on a paper published in 1978 by Needham and Schroeder. Since the Needham and Schroeder protocol is the basis upon which Kerberos is built, we will begin our discussion there. [ Team LiB ] [ Team LiB ]