Information Technology Reference
In-Depth Information
delay in securing the authentication). The RADIUS, of course, has its limits,
residing in the structure of command and the address space of attributes,
resulting in poor capability to introduce new services. RADIUS, working on
UDP, has no mechanisms of timing or retransmission. For these reasons,
manufacturers have implemented several versions of these procedures.
5.2
Kerberos
Developed by the Massachusetts Institute of Technology, Kerberos, whose
name takes inspiration from the three-headed dog that in Greek mythology
was the guardian of the gates of hell. It deals with the authentication of users,
the generation and maintenance of encryption keys. Kerberos is a distributed
authentication service that allows a process (client) to authenticate on behalf
of a user (user) to a verifier, without sending data across the network that
could allow a hacker or a verifier to impersonate the user. Kerberos uses a
series of encrypted messages to prove to a verifier that a particular user is
working on a client [12].
Kerberos is composed of three elements:
•
Authentication server (AS)
: It deals with storing passwords and interacts
with the client workstation to authenticate the user. This interaction also
includes the creation and sending of a ticket granting. This is used
by the client to obtain a service granting ticket from the ticket-granting
server.
•
Ticket granting server (TGS)
: It provides the client a service-granting
ticket for receiving services from one application server. This server was
introduced to prevent a user to retype his password each time a request for
authentication is asked.
•
Application server (AP)
: The application server provides the services
desired by sending to the client.
In summary, the Kerberos protocol provides that at first a client contacts
the AS to retrieve a ticket valid for the tags: This ticket is called ticket-
granting ticket (TGT). When the client invokes the service for the first time,
it invokes the TGS to get a session ticket that allows access to the service,
then, for the duration of the session, the client directly invokes the service
sing the same ticket.
Although the protocol can be considered secure enough, it also has its
weaknesses, and there are some peculiarities that we must not underestimate:
•
Clients and servers must necessarily maintain safe their secret key. If any
attacker obtains the secret key, the system can become vulnerable to spoofing
attacks.
