sobrique: (bubble tree)
[personal profile] sobrique
You may not have heard of Kerberos. But there's a pretty good chance that you've used it, if you've used Windows in a place of work in the last ... 10 years or so.

It's a method of single sign on, designed in MIT about 20 years ago. It's really quite clever - so much so, that no one's managed to beat it in that time. It was intended to be a way of authenticating users in an untrusted network, for Unix.
Ironically - it was Microsoft that turned it 'mainstream'. Active Directory is - basically - a combination of Kerberos and LDAP. (Which are the two key elements of a Kerberos authentication domain).

The reason it's quite clever? Well, prior to it's invention, Unix (and Windows) basically were an account per server. It had extended a little into 'shared' accounts with things like NIS and YP. (Which is basically a 'shared' account list, that each server can authenticate if it wishes).

But you still had to type a password in, each server you logged in to. You could set up some sort of 'override' (rsh 'authorized hosts' and later ssh public/private key pairs) but it didn't handle network level authentication.

What kerberos does, is allow you to 'declare' your identity to an authorisation server (Kerberos Domain Controller - which in Windows is an Active Directory domain controller). It uses encryption to handle the authentication mechanism - which is another clever innovation, because you then don't have to send your password in the clear.

You encrypt - locally - a message. You send it to the DC. Which then - because it 'knows' your password, can decrypt the message. And send you one back, encrypted the same way. To prevent shenanigans, you it requires you to encrypt the time, to make replay attacks harder. (Which is why AD/Kerberos breaks when your clocks are >5m out of sync).

It issues a 'ticket granting ticket' (TGT). This is a 'backstage pass', and - provided it's still valid - can be used to request access to other services in the network. You request access to another service by 'asking' for a ticket for it - the KDC then (because it knows the 'machine account' password for the server) sends _you_ a ticket, containing an (encrypted) authorisation. The server you're trying to access can decrypt it (using it's machine account credentials).

And because stuff is handed around encrypted (Kerberos doesn't explicitly specify encryption mechanisms) you get a way of proving you are who you say, and that your remote server is also the one you expected to be talking to - the message can only be decrypted by it's intended recipient.

It's actually pretty cool - Single Sign on is something that remains a challenge to implement (securely/safely). And Kerberos is about the only game in town.
From:
Anonymous( )Anonymous This account has disabled anonymous posting.
OpenID( )OpenID You can comment on this post while signed in with an account from many other sites, once you have confirmed your email address. Sign in using OpenID.
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

sobrique: (Default)
sobrique

December 2015

S M T W T F S
  12345
6789101112
13141516171819
20212223242526
2728 293031  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 26th, 2017 07:23 am
Powered by Dreamwidth Studios