What network model involves a centralized server where hosts authenticate to share resources?
What is Kerberos?Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network, such as the internet. Kerberos support is built in to all major computer operating systems, including Microsoft Windows, Apple macOS, FreeBSD and Linux. Show
Since Windows 2000, Microsoft has used the Kerberos protocol as the default authentication method in Windows, and it is an integral part of the Windows Active Directory (AD) service. Broadband service providers also use the protocol to authenticate cable modems and set-top boxes accessing their networks. Kerberos was developed for Project Athena at the Massachusetts Institute of Technology (MIT). The name was taken from Greek mythology; Kerberos (Cerberus) was a three-headed dog who guarded the gates of Hades. The three heads of the Kerberos protocol represent the following:
Users, systems and services using Kerberos need only trust the KDC. It runs as a single process and provides two services: an authentication service and a ticket granting service (TGS). KDC "tickets" provide mutual authentication, allowing nodes to prove their identity to one another in a secure manner. Kerberos authentication uses conventional shared secret cryptography to prevent packets traveling across the network from being read or changed. It also protects messages from eavesdropping and replay attacks. Work on Kerberos began in the late 1980s. Version 5 of the protocol -- the current version -- was first published in 1993. The MIT Kerberos Consortium was founded in September 2007 to further the development of the technology. In 2005, the Internet Engineering Task Force published the Kerberos protocol as a Proposed Standard in Request for Comments 4120. In 2013, the consortium was expanded and renamed the MIT Kerberos and Internet Trust Consortium. What does the Kerberos authentication protocol do?The original objective of Kerberos was to provide a way for users of the MIT network to securely authenticate themselves to the systems they needed to use. It also enabled those users to be authorized to access those systems. At that time, networked systems typically authenticated users with a user ID and password combination. Systems routinely transmitted passwords "in the clear," meaning unencrypted. Attackers with access to the network could easily eavesdrop on network transmissions, intercept user IDs and passwords, and then attempt to access systems for which they were not authorized. Kerberos developers set out to provide a network authentication protocol that could be used to authenticate trusted hosts communicating over untrusted networks. In particular, they intended to provide system administrators a mechanism for authenticating access to systems over an open network -- the internet. Kerberos was initially designed as the "Kerberos Authentication and Authorization System" in a paper with the same name written by S.P. Miller, B.C. Neuman, J.I. Schiller and J.H. Saltzer. The designers aimed to provide a foundation for ensuring that only authorized users can get access to specific networked resources. They intended Kerberos' authentication as a means for supporting authorization. While a user can be authenticated as having some access rights to some network resources, authorization tools enable more finely grained access to specific resources, like storage and databases. Kerberos was also designed to interface with secure accounting systems. This provided the third "A" of the authentication, authorization and accounting (AAA) triad. Kerberos objectives, concepts and termsGoals for the Kerberos system are spelled out in a tutorial written by Fulvio Ricciardi of the National Institute of Nuclear Physics in Lecce, Italy. They include the following:
Three different sets of entities use Kerberos:
Authentication with Kerberos is based on the use of authentication tickets. An authentication ticket indicates that the user is authenticated through the Kerberos authentication service. After it has been granted, the user can request other tickets to access specific application services. How does the Kerberos authentication protocol work?A simplified description of how Kerberos works follows; the actual process is more complicated and may vary from one implementation to another:
The service ticket sent by the TGS enables the client to access the service. The service ticket is timestamped, so a single ticket can be used for a specific period without having to be reauthenticated. Making the ticket valid for a limited time reduces the possibility that someone else will be able to use it later. The maximum lifetime can be set to 0, in which case service tickets will not expire. Microsoft recommends a maximum lifetime of 600 minutes for service tickets; this is the default value in Windows Server implementations of Kerberos. What is Kerberos used for?Kerberos is used to authenticate entities requesting access to network resources, especially in large networks to support SSO. The protocol is used by default in many widely used networking systems. Some systems in which Kerberos support is incorporated or available include the following:
Kerberos vs. other network authentication protocolsKerberos is not the only authentication protocol in general use, but it is probably the most widely used one. Kerberos has been proven to be a secure protocol, capable of coping with unexpected input or errors during execution and widely implemented. Kerberos vs. Microsoft New Technology LAN Manager (NTLM)Microsoft NTLM is an outdated authentication protocol that can still be used to provide SSO services in AD domains. It was first made available in Windows NT in 1993; Microsoft deprecated NTLM for authentication, replacing it with Kerberos starting in Windows 2000. Kerberos is currently the preferred authentication protocol for Windows. Unlike Kerberos, NTLM depends on a challenge-response protocol for authentication. Kerberos vs. Lightweight Directory Access Protocol (LDAP)LDAP offers a method for maintaining and accessing authoritative information about user accounts. It is widely used for authorizing user access to accounts on networked services. LDAP and Kerberos are often used together, with LDAP providing authorization services and Kerberos providing authentication services for large networks.
Kerberos vs. Remote Authentication Dial-In User Service (RADIUS)The RADIUS protocol was designed to provide an authentication service for dial-in users to remotely access internet service providers or corporate networks over direct connections, like dial-up phone lines. RADIUS can be used for authorization and accounting of network services. It can also be integrated with Kerberos to provide stronger authentication. Is Kerberos secure?The Kerberos protocol is considered secure. It has been widely implemented for decades, and it is considered a mature and safe mechanism for authenticating users. Kerberos uses strong cryptography, including secret-key encryption, to protect sensitive data. Security researchers have been investigating Kerberos since it was first published. Weaknesses have been found in specific Kerberos implementations, as well as in the protocol itself. Those weaknesses have been addressed, and Kerberos remains fundamental for authentication in the internet. Some of the historic weaknesses in Kerberos as used in Windows networks were summarized in a 2015 blog post by security researcher Elmar Nabigaev. They included the following:
To keep Kerberos secure, you should stay up to date with Kerberos security vulnerabilities and stay current with software updates that mitigate or remediate flaws, such as the "Kerberoasting" attack used in the SolarWinds supply chain attacks in 2020. This was last updated in September 2021 Continue Reading About Kerberos
Dig Deeper on Identity and access management
Which network model has centralized authority over resources?A server-based network is centralized in nature. Also, the storage in this kind of network is centralized. In other words, we can say that a server-based network is based on a centralized structure and provides a way to communicate via the web. The Internet is the most widely used client-server network.
Is client/server model centralized?An important advantage of the client-server model is that its centralized architecture helps make it easier to protect data with access controls that are enforced by security policies.
Which server with a clientA file server is used to host websites on a client/server network.
Which server can act as a centralized authentication server in your network quizlet?Client server: allows you to have a centralized database of users so that authentication is provided in one place. You need a topology that is scalable to use in your network.
|