is a network authentication protocol that uses secret-key cryptography to
authenticate service requests between two parties, typically a client and a server on primese. Commonly used in Windows environments.
Information is exchanged via ticket,s which identify if a user is authentic and if they should be granted access to specific resources.
Kerberos
The central authority that issues tickets and manages
cryptographic keys in a Kerberos realm.
Key Distribution Center (KDC)
Part of the KDC that verifies user credentials and grants a
ticket-granting ticket (TGT). The TGT proves that a subject has been authenticated through a KDC
Authentication Service (AS)
Part of the KDC that validates the use of a ticket for a
specified purpose, such as network service access. When the client wants to access a
specific service, it contacts the TGS using the TGT.
Ticket Granting Service (TGS)
Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects. It is encrypted and includes symmetric key, an expiration time, and the user’s IP address. Subject present this when requesting tickets to access objects
Ticket-Granting Ticket (TGT)
An encrypted message that provides proof that a subject is authorized to access an object. Once it expires, a client must request a renewal or a new one to continue communication with any server
Ticket
Can be any entity that can request a ticket (user, machine, service)
Principal (Kerberos)
logical area such as domain or network ruled by Kerberos
Realm
- User types a username and password into the client
- The client generates a request with these credentials to the KDC which is encrypted
- KDC verifies the username against its database of known credentials.
- KDC generates a session key that will be used by the client & kerberos server. Encrypt with a hash of user’s password. KDC generates a encrypted timestamped TGT.
- KDC transmits the encrypted session key and encrypted timestamped TGT to client
- Client installs the TGT for use until it expires. Client decrypts the session key using a hash of the user’s password.
Kerberos Login Process
Called the successor to KERBEROS, it addresses some of the issues of Kerberos.
It uses PKI encryption (asymmetric). It uses Privilege Attribute Server (PAS) which issues Privilege Attribute Certificates (PAC).
Secure European System for Application in Multi-vendor Environment
Centralized authentication for remote access connection. It provides authentication, authorization, and accounting for users access a network service. It’s commonly used in wireless networks, VPNs, and dial-up connections.
RADIUS
Centralized remote authentication service that provides authentication, authorization, and accounting. Intended to be a replacement for RADIUS because it provides reliability (uses SCTP or TCP). Used in prepaid and credit-based usage models in mobile device services.
Diameter
Centralized remote authentication service similar to RADIUS but considered more secure, because it encrypts the entire data package not just the password. It uses two factor authentication. It’s commonly used in wireless networks, VPNs, and dial-up connections
TACACS+
A simple password-based authentication
protocol that provides basic authentication. It transmits
passwords in clear text, making it insecure.
Password Authentication Protocol (PAP)
Performs authentication using challenge response dialogue that can’t be replayed. It uses a challenge-response mechanism to avoid sending passwords
in clear text.
Challenge Handshake Authentication Protocol (CHAP)
One domain allows access to users on another domain, but the other domain does not all access to users on the first domain
One Way Trust
Two domains allow access to users on both domain.
Two way Trust
A trust that can extend beyond two domains to other trusted domains in the forest.
Transitive Trust
A one way trust that does not extend beyond two domains
Intransitive (non transitive) Trust
occurs when an authentication system authenticates someone incorrectly. Also know as a false positive authentication. Sometimes called Type II error
False Acceptance Rate (FAR)
occurs when an authentication system does not authenticate a valid user. Sometimes called a false negative authentication or Type I error
False Rejection Rate (FRR)
identifies the accuracy of a biometric method. It shows where the false rejection rate is equal to the false acceptance rate
Crossover error rate (CER)
Is an open XML based standard commonly used to exchange authentication and authorization(AA) information between federated organizations. It provides SSO capabilities for browser access
Security Assertion Markup Language (SAML)
Is an open protocol to allow secure authorization in a simple and standard method from web, mobile, and desktop application. Exmaple: Signing in to a website using your Google account.
Open Authorization (OAuth)
