1 00:00:01,990 --> 00:00:06,660 Let's talk about Kerberos Now what's with the name. 2 00:00:06,660 --> 00:00:08,760 Kerberos is Greek for servers. 3 00:00:08,910 --> 00:00:13,280 The three headed dog which guards the gates of Hades. 4 00:00:13,530 --> 00:00:21,260 Why three headed Kerberos is a standard specified in RAFC 15:10 an RAFC 1964. 5 00:00:21,690 --> 00:00:30,780 Unlike LAN Manager and Antolin manager it's based on three types of principles a principle is an identity 6 00:00:30,780 --> 00:00:38,940 that can be authenticated to a Kerberos domain principles include users or user principle has a user 7 00:00:38,950 --> 00:00:47,400 principal name or services a service has a service principal and then a principal can also be a key 8 00:00:47,410 --> 00:00:52,970 distributor or any entity that manages keys. 9 00:00:53,040 --> 00:00:57,120 What's this Kerberos apart from other protocols. 10 00:00:57,150 --> 00:01:00,210 The protocol is based on tickets. 11 00:01:00,350 --> 00:01:01,900 We'll talk about this soon. 12 00:01:03,930 --> 00:01:10,270 An indirect impact of tickets is the ability to delegate credentials. 13 00:01:10,310 --> 00:01:18,630 This is an interesting functionality that wasn't available in LAN Manager or any land manager the delegating 14 00:01:18,630 --> 00:01:21,060 feature is often used in web applications 15 00:01:23,560 --> 00:01:30,760 Kerberos can be used to establish a trust relationship between networks between two domains a domain 16 00:01:30,760 --> 00:01:38,720 does not have to be a Windows domain but it has to be a Kerberos version 5 domain. 17 00:01:38,730 --> 00:01:45,000 You can also prove your identity to a service for example to print documents on a network printer in 18 00:01:45,000 --> 00:01:48,660 a way that doesn't require forwarding your encrypted password to the service 19 00:01:53,190 --> 00:01:59,970 each principal needs to have their own secret in Active Directory domains Kerberos domains for authentication 20 00:01:59,970 --> 00:02:02,530 to work. 21 00:02:02,560 --> 00:02:06,050 The secret is known as a long term key. 22 00:02:06,070 --> 00:02:14,100 The standard defines a long term key as a key extracted from a user's password you submit your password 23 00:02:14,420 --> 00:02:21,640 and the long term key is generated from it in Windows it can also be a private key issued by a certification 24 00:02:21,650 --> 00:02:22,390 center. 25 00:02:23,940 --> 00:02:27,320 This is an expansion of the standard. 26 00:02:27,410 --> 00:02:29,960 How does Kerberos user authentication work. 27 00:02:34,000 --> 00:02:38,580 The first step is to establish your identity. 28 00:02:38,710 --> 00:02:41,200 Your long term key is used for this purpose. 29 00:02:43,220 --> 00:02:48,710 One of the strengths of Kerberos is that it doesn't over use a user's password. 30 00:02:48,960 --> 00:02:52,110 It's forwarded to other nodes only when necessary. 31 00:02:53,900 --> 00:02:59,270 Land manager and anti-landmine sure send out passwords to all systems that request them. 32 00:02:59,270 --> 00:03:06,020 Also without a user's knowledge Kerberos doesn't do that. 33 00:03:06,080 --> 00:03:11,090 Your long term key is sent only once to obtain a ticket granting ticket TGT 34 00:03:13,690 --> 00:03:18,360 Kerberos for your password only to its trusted center. 35 00:03:18,420 --> 00:03:24,720 Naturally the password is not in clear text what is sent is a time stamp encrypted with using the user's 36 00:03:24,720 --> 00:03:25,680 long term key 37 00:03:28,850 --> 00:03:36,490 stamp string is composed of date hour minute second and Zulu tag. 38 00:03:36,550 --> 00:03:43,910 When does Kerberos domains always use Greenwich Mean Time will also describe later potential credentials 39 00:03:43,910 --> 00:03:45,060 harvesting attack 40 00:03:48,070 --> 00:03:55,190 an alternative method for authentication is using a smart card insert a card into a card reader in a 41 00:03:55,190 --> 00:03:57,320 local computer and enter your PIN code 42 00:04:00,200 --> 00:04:05,150 the Kerberos protocol which operates on a different computer will authenticate the user against the 43 00:04:05,150 --> 00:04:09,280 data stored on the card. 44 00:04:09,280 --> 00:04:14,940 This is a strikingly different arrangement from web applications deployed in banking where an identifier 45 00:04:14,940 --> 00:04:23,170 is generated using for example a key generator a small gadget that creates random strings of digits. 46 00:04:23,280 --> 00:04:28,560 You can use this mechanism also for authenticating to Windows but this generator is not linked in any 47 00:04:28,560 --> 00:04:30,260 way to a domain controller. 48 00:04:32,050 --> 00:04:38,690 A password generator authenticates users locally and other protocol is used later. 49 00:04:39,540 --> 00:04:43,680 The two authentication methods operate on two completely different security levels 50 00:04:47,120 --> 00:04:54,720 Kerberos makes use of a key distribution center a domain controller all controllers have a key distribution 51 00:04:54,720 --> 00:05:00,080 center log on server functionality. 52 00:05:00,080 --> 00:05:04,240 What's interesting is that a server that lets us access a printer is called a print server. 53 00:05:05,450 --> 00:05:11,390 A server for storing files as a file server with a server that issues keys is called a key distribution 54 00:05:11,390 --> 00:05:15,210 center and not a log on server. 55 00:05:15,230 --> 00:05:23,560 The term can only be found in one error message if a user tries to log on when the KDC is unavailable. 56 00:05:23,600 --> 00:05:26,960 You will see a prompted window. 57 00:05:26,980 --> 00:05:34,140 There are no log on servers available to service a log on request a KDC has two tasks to do. 58 00:05:35,650 --> 00:05:39,430 Its role is to generate manager T.G. TGT and service tickets. 59 00:05:41,170 --> 00:05:46,600 A key distribution center is a machine that generates a number of random keys and manages them in some 60 00:05:46,600 --> 00:05:52,810 way TGT tickets are used for authentication. 61 00:05:52,930 --> 00:06:02,010 They serve as a temporary password a TGT last fall up to 10 hours when it's valid. 62 00:06:02,020 --> 00:06:08,910 All services in a domain will uniquely identify a user based on that ticket. 63 00:06:09,100 --> 00:06:15,490 If you would like to use a specific service you need to present a service ticket to that service. 64 00:06:15,570 --> 00:06:25,630 We'll show you the exact mechanism in the moment a domain can have more than one key distribution center. 65 00:06:25,650 --> 00:06:28,030 Note that the Kaytee sees have to share a secret. 66 00:06:29,130 --> 00:06:35,160 If they don't it could happen that when one controller issues a TGT and it's deactivated a user wouldn't 67 00:06:35,160 --> 00:06:39,230 be able to use a network because the second controller doesn't recognize the user 68 00:06:42,220 --> 00:06:48,500 to make all controllers able to share secrets all controllers in a realm work in the KRIV TGT account. 69 00:06:50,340 --> 00:06:52,470 This is defined and they are F.C. standard 70 00:06:55,490 --> 00:07:00,250 this account seems inactive looking in its properties but you shouldn't delete it. 71 00:07:00,250 --> 00:07:02,800 It is internally used by all domain controllers 72 00:07:06,960 --> 00:07:09,610 since this account is the same within the domain. 73 00:07:09,810 --> 00:07:19,170 It has the same password the same long term key all controllers can exchange secrets cross realm a key 74 00:07:19,170 --> 00:07:23,060 distribution center has a secret to encrypt the TGT is it issues 75 00:07:26,750 --> 00:07:31,700 or TGT ticket can be reused multiple times unless it expires or is revoked 76 00:07:36,340 --> 00:07:39,810 let's look into the Kerberos domain authentication process. 77 00:07:41,340 --> 00:07:43,790 A user is not yet logged onto a computer. 78 00:07:44,760 --> 00:07:53,340 To be able to log on the user has to have a service ticket log on is a service a user has to authenticate 79 00:07:53,340 --> 00:08:01,340 with a TGT ticket to obtain a service ticket and to obtain a TGT the user needs to first communicate 80 00:08:01,340 --> 00:08:03,100 with a domain controller. 81 00:08:05,900 --> 00:08:12,830 A user forwards an authentication request at this time a time stamp is encrypted using the user or Bob's 82 00:08:12,830 --> 00:08:22,660 long term key and sent to the KDC KDC Senos all long term keys of a systems user's. 83 00:08:22,720 --> 00:08:27,040 That's why it's able to decode the forwarded message and check the current time against the sending 84 00:08:27,040 --> 00:08:35,380 time the default tolerance is five minutes this means that changing the system time has a direct bearing 85 00:08:35,380 --> 00:08:41,260 on overall Windows security and requires administrator permissions. 86 00:08:41,480 --> 00:08:46,520 If a user changes the clock by more than five minutes Kerberos authentication will fail. 87 00:08:48,530 --> 00:08:56,760 Our local system doesn't give up yet it doesn't pop up an authentication failed message it tries another 88 00:08:56,760 --> 00:09:07,390 authentication method anti LAN Manager if authentication succeeds a user will obtain a TGT ticket to 89 00:09:07,390 --> 00:09:09,190 be able to use a server service. 90 00:09:09,340 --> 00:09:19,310 You need to get a service ticket that is issued by a KDC or user presents a generated TGT ticket if 91 00:09:19,310 --> 00:09:23,060 the user is authorized to connect to a specific service. 92 00:09:23,190 --> 00:09:27,260 The KDC will issue a service ticket. 93 00:09:27,330 --> 00:09:32,400 Now you can forward the service ticket to an applicable server and use the service provided that the 94 00:09:32,400 --> 00:09:33,400 ticket is valid 95 00:09:36,140 --> 00:09:44,090 a server that hosts a given service can verify it by contacting the KDC this robust solution eliminates 96 00:09:44,090 --> 00:09:50,410 a number of security threats including the man in the middle attack even the four would be attacker 97 00:09:50,410 --> 00:09:53,820 gains control of user service server interchanges. 98 00:09:53,890 --> 00:10:01,640 It doesn't amount to much the attacker would have to take over user KDC interchanges. 99 00:10:01,850 --> 00:10:06,400 It's easier to protect one or two key distribution centers than many service servers. 100 00:10:10,030 --> 00:10:13,510 We've mentioned Kerberos credential delegation. 101 00:10:13,730 --> 00:10:18,890 If you launch for example notepad the editor will run the credentials of the user who launched it. 102 00:10:20,390 --> 00:10:27,280 This is obvious but what if the user runs a program that connects to another program running on a different 103 00:10:27,280 --> 00:10:28,240 computer. 104 00:10:29,120 --> 00:10:32,100 How is that user authenticated on a remote machine. 105 00:10:34,330 --> 00:10:38,000 Kerberos is the only protocol that enables delegating credentials. 106 00:10:39,760 --> 00:10:44,470 This functionality involves a service forwarding a user's ticket to another service on behalf of that 107 00:10:44,470 --> 00:10:45,460 user. 108 00:10:47,810 --> 00:10:54,250 It's useful for logging into Web sites that connect to a database server were visible in the server 109 00:10:54,250 --> 00:11:02,010 as a user who is not connected to the computer Kerberos has only one security vulnerability and we'll 110 00:11:02,010 --> 00:11:05,750 discuss it during a presentation that will show overall protocols threats 111 00:11:08,860 --> 00:11:09,790 during this module. 112 00:11:09,790 --> 00:11:16,440 We've talked about authentication and authentication methods LAN Manager and the land manager and Kerberos. 113 00:11:16,440 --> 00:11:26,250 Version two protocols de-stressed the necessity to secure system passwords. 114 00:11:26,330 --> 00:11:27,040 Thank you.