Time
31 hours 29 minutes
Difficulty
Beginner
CEU/CPE
30

Video Description

Overview of Kerberos This lesson covers Kerberos technology. Kerberos is considered the 'three-headed guard' of a network. The three heads of Kerberos include:

  • The key distribution center
  • Authentication service:
  • Ticket granting service

Kerberos is found in a Windows domain and relies on a trusted third party who hands out tickets which are used to authenticate.

Video Transcription

00:04
next we have our Kerberos technology. Now our curb Bo's technology is going to utilize P k I an asymmetric encryption in order to help us authenticate ourselves in our network and help us to access resource is on our network without having to authenticate ourselves every single server that we access
00:22
and pass our credentials to every single service that we need to utilize.
00:26
Now,
00:26
curveballs comes from our Greek mythology as our 33 headed guard of the underworld. In our in our set up in our network, in our security curb, Rose is going to be our three headed guard of our network covers. We is named as such because it has three main heads
00:46
and the three heads of Curb Rose, at least in our network anyway, are going to be our key distribution center, our authentication service and our ticket granting service. Now we're gonna talk about each of those in in more detail, but for now, just know that that's our three main components are key distribution center authentication service
01:03
and our ticket granting service.
01:06
Now, curb rose is very typical in a Windows domain, especially were with using authentication using our active directory and then using our user permissions and our user privilege levels in orderto access, different service is on our network. Essentially, Curb Rose is going to hand out tickets
01:25
that allow us to access. Different service is on the network
01:29
rather than having to every time we need to access the file or every time we need to access a particular part of our network sending all of these different servers are user name and password. We just send them a service ticket. That way we can still access these different components on our network, but we're not handing our credentials to everybody who asks for them.
01:47
We're just handing the service ticket
01:49
so it makes it a lot more secure, and it lets us be able to communicate with other people on our network without actually sending them are logged in user name and password.
01:59
So our purpose relies on a trusted third party who is who hands out our tickets. That air passed between everybody. So our Kerberos relies on trusting our ticket granting service because our ticket granting service is anarchy Distribution center is going to be the person who
02:16
verifies that all of these tickets
02:20
are who they say they are, because we because where it's like when we get on the train when we buy our tickets Way may show I d and show who we are, that we are who we say we are. And then we get our ticket to board the train and we don't show our I d to anybody else. We just give our ticket to everybody.
02:38
But in order that we that ticket is trusted,
02:40
it needs to be issued by someone who is trusted. We need to make sure that that ticket is issued by the by the train by the front desk of the train station. So we need to make sure that that ticket is granted is granted by someone who's trusted.
02:54
So let's take a look at our Let's take a look at our co bro's connection here.
03:01
So right here we have a computer that is turned off at the moment,
03:06
and we were walking in. We're getting started for work day, so we're gonna turn on our we're gonna turn on our computer and were prompted with the log in screen. It says, Enter your user name and password,
03:16
so we enter a user name and password and as we do
03:23
where sending our user name and password
03:25
to the authentication service.
03:29
So the authentication service is going to we're going to send our user name and password. So user name slash password
03:37
to the authentication service and say, Hey,
03:39
I'm here and I need to get a ticket granting ticket,
03:45
so I need to get a ticket that says, I'm I am who I say I am.
03:51
So I'm gonna go. I'm gonna send this username and password to get my ticket granting ticket.
03:54
The authentication service is part of our key distribution center, and our authentication service is going to say Okay, you're good. That usually the password past Maybe this is active directory that's handling this in our authentication service is saying, yes, you are who you say you are.
04:11
So I'm going to let the ticket granting service in our key distribution server know that know your user name and know to be on the lookout for you.
04:21
So you passed authentication.
04:24
So the computer is now also going to request a ticket granting ticket.
04:29
So what's doing is it's requesting from the key distribution center, it's say, hey,
04:33
I need a ticket granting ticket. I need it. I need a ticket to get on the train or I need a ticket to get into the fair.
04:41
So the ticket granting ticket is going to take. That is going to take the ticket granting ticket, and then it's going to take our users up
04:50
public key, and he's going to say, OK,
04:54
it's gonna take our user's password is gonna hash it with it and it's going to say OK,
04:59
here's your ticket granting ticket. If you are who you say you are, you'll be able to read this. So if we aren't who we say we are, we won't be able to read that ticket granting ticket. If we are, then we will be able to read it.
05:12
So we're able to were able to read that ticket granting ticket were alive for our session or get to go were logged into our computer.
05:19
But now we need to access this file server.
05:25
We're not going to send the ticket granting ticket to the file server. We're not going to send our user name and password to the file server. We're gonna send our ticket granting ticket back to the ticket granting system and say, I need a service ticket. I need a service that allows me to authenticate and begin a session
05:45
with the file server.
05:46
So we send this ticket granting ticket.
05:49
The ticket granting service sends us back a service ticket,
05:54
and then we send the service ticket
05:57
to the file server.
05:59
The file server sees this service ticket verifies that it was issued by the ticket granting service because if this service ticket, the service ticket has to be issued by the ticket granting service because the ticket granting service puts its own signature on the service ticket.
06:15
If anyone else tries to forge that, it's not gonna work because that service ticket
06:19
is not only signed, but it's also time stamped by the ticket granting service. It's time stamped with an expiration time.
06:28
So we then send that service ticket to the network to the network device, in this case, a file server, and say, Hey,
06:34
this is me. I have a service ticket that authenticates me. So I need you to start sending the files. I need to initiate a session with you.
06:42
So then our file server after it checks that service ticket will say Okay. Yeah, but everything checks out. Your service tickets checks out, is now going to initiate a session back to us.
06:51
This prevents us from having to send our user name and password to the file server. Just in case that file servers compromise. They they are not getting our user name and password. They're all they're getting is they're getting a service ticket. And all that service ticket is good for is the connection between us and the file server for a limited amount of time.
07:12
So,
07:14
all about all of our tickets in Arco, bro, set up our all time stamped. Our ticket granting ticket is time stamped for the duration that we're going to be logged in if we're still logged in and still performing network functions when our ticket is about to expire, a ticket granting ticket is about to expire. Then are
07:31
well, actually go back out transparently.
07:33
We'll go back out and will renew, and we'll get a new ticket granting ticket. And this all happens in the background.
07:40
And
07:41
if our time expires, then we'll get a session time out. This this is like if you're connected to a remote server and they you authenticate with them. They're using Curb Rose and then you get a message that says, Hey, your session timed out are taking, granting ticket timed out. We weren't performing functions. We didn't keep
07:59
re issuing and keep getting new ticket granting tickets.
08:01
So are ticket granting. Picket ran out. We tried to ask for a service ticket and then the ticket granting service said Sorry. Your ticket granting ticket is expired. It's no longer good.
08:13
So
08:15
just remember from our curb, Bo's Arco bro's standpoint are big things that we need to remember are going to be. Our three heads are key distribution center, which is made up of our authentication service, which is who we send a username and password to our ticket granting service that sends us our ticket granting ticket
08:33
in our service ticket
08:35
and then our that's our three heads
08:39
key distribution center, our authentication service and our ticket granting service. These are all our curb rose authentication method, and it allows us to only have to pass our user name and password to our authentication service and then be able to receive tickets that we used to get into the fair and then get into our different network functions.
08:58
Bye bye.
09:01
Subsequently requesting these service tickets which let the file server know that we have been authenticated and what we have permissions to.

Up Next

CompTIA Network+

This CompTIA Network+ certification training provides you with the knowledge to begin a career in network administration. This online course teaches the skills needed to create, configure, manage, and troubleshoot wireless and wired networks.

Instructed By

Instructor Profile Image
Anthony Harris
Systems Analyst and Administrator at SAIC
Instructor