The Kerberos Carnival
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> Let's take a little deeper look into Kerberos.
00:01
I'm going to take a little trip down memory lane.
00:01
I'm going to ask you to humor
00:01
me a little bit here and hopefully,
00:01
we'll see how this analogy explains Kerberos.
00:01
I've mentioned to you all
00:01
that Kerberos is a little bit like a carnival.
00:01
I'm going to expand on
00:01
that idea and we're going to draw that correlation.
00:01
We'll also in this section talk
00:01
about some of the concerns that we have
00:01
and some of the potential security issues
00:01
that could arise.
00:01
I mentioned to you all earlier that
00:01
I'm from Greensboro, North Carolina.
00:01
Greensboro, North Carolina is a dull place to grow up.
00:01
If you're a teenager or a kid,
00:01
there's not a lot of action
00:01
shaking in Greensboro, North Carolina.
00:01
At least there wasn't when I
00:01
grew up, which is in the 80s.
00:01
But every April, the GYC Carnival would come to town.
00:01
That stood for the Greensboro youth council.
00:01
The way we would know the carnival was coming into
00:01
town is we drive past Carolinas Circle Mall,
00:01
and a white fence popped up magically overnight.
00:01
That white fence was to
00:01
indicate where the carnival was going to be.
00:01
Everything inside the fence was the carnival,
00:01
everything outside the fence was [inaudible].
00:01
The fence separated the carnival realm
00:01
from the rest of the world.
00:01
Now, we even show up at
00:01
the carnival the first night always.
00:01
It was always on a Wednesday.
00:01
Usually, there was a reduced entry fee,
00:01
so that's why we went and we'd show up
00:01
there and we'd get to the admission booth.
00:01
The admission booth, like I said,
00:01
it was usually pretty cheap to get into the carnival.
00:01
Might be a couple of dollars
00:01
or sometimes they would have a canned food drive,
00:01
and so you bring in a couple of cans of
00:01
the absolute worst vegetables you could find in
00:01
your cabinet because that's the true spirit of giving,
00:01
beets, canned carrots, that sort of thing.
00:01
But at any rate we'd get there, we'd show up,
00:01
we'd pay our dollar,
00:01
and we'd get into the carnival realm.
00:01
Now my question to you,
00:01
I paid my dollar,
00:01
what did I get for that dollar?
00:01
Do I get to ride the rides?
00:01
No I don't get to ride the rides for that dollar.
00:01
You know what I do get though?
00:01
I get that wrist strap.
00:01
Do you guys remember the yellow wrist strap
00:01
either made of paper or
00:01
plastic and you just find yourself
00:01
fiddling with that wrist strap all night?
00:01
But what that wrist strap indicated is that I
00:01
came into the carnival realm the proper way.
00:01
I didn't jump the fence or sneak in,
00:01
but I went through admission.
00:01
More importantly, I needed tickets.
00:01
Tickets were what I needed to ride the rides.
00:01
But if I went to the ticket booth
00:01
without my wrist strap,
00:01
guy at the ticket booth would say,
00:01
you don't have a wrist strap,
00:01
you didn't come in the proper way.
00:01
Go back out, come through
00:01
admission and when you can show me a wrist strap,
00:01
then I'll sell you tickets.
00:01
So coming in through the admission booth,
00:01
gave me a wrist strap.
00:01
Can't really do anything with
00:01
the wrist strap other than get tickets.
00:01
It's the tickets I really want though,
00:01
because that's what allows me to ride
00:01
the run. So far so good.
00:01
Now, when I was too young to go on my own,
00:01
I would go with my family,
00:01
and specifically, I'd go with my mom.
00:01
Now, my mother, I just want to go on record as
00:01
saying she is a lovely woman, lovely woman.
00:01
But she is a little bit tight with her money.
00:01
She is not a spendthrift.
00:01
I have the feeling she's probably sitting on
00:01
a stack of money like Scrooge McDuck and every
00:01
night for beds counting
00:01
her change as she properly stuffs under a mattress.
00:01
But anyway, bottom line is,
00:01
my mom didn't toss a lot of money around.
00:01
Once we're in the carnival,
00:01
if I want to go ride the Ferris wheel
00:01
and the Ferris wheel is five tickets.
00:01
Do you think mom gave me a $20 bill and said,
00:01
you go have a nice time?
00:01
If I needed four tickets to ride
00:01
the Ferris wheel, that's what I got.
00:01
I got four sad little measly tickets,
00:01
and I rode that Ferris wheel and it was fun.
00:01
Could I ride the Ferris wheel again on those tickets?
00:01
Nope. Now I want to ride the swings,
00:01
back to the ticket booth. What do I get?
00:01
Three little measly tickets
00:01
because that's what the swing required.
00:01
Want to ride the bumper cars,
00:01
back to the ticket booth.
00:01
By the way parents,
00:01
give your kids some money.
00:01
Here this is 40 years later,
00:01
and I am still scarred
00:01
from this tragic event of my childhood.
00:01
Don't be so stingy with your money,
00:01
give the kids a little something.
00:01
Even years of therapy,
00:01
still bitter about this event.
00:01
Believe it or not, this actually is how Kerberos works.
00:01
You come in through the admission booth once,
00:01
but for every ride you want to ride,
00:01
you have to go to the ticket booth.
00:01
You're going back and forth to the ticket booth.
00:01
Now let's look at this from
00:01
a little bit more technical standpoint.
00:01
I'm going to sit down at
00:01
my system and I'm going to log in for the morning.
00:01
I'm going to type out my username,
00:01
Kelly H, and I'm going to type out my password.
00:01
Now here's the thing,
00:01
my username only is sent to the domain controller.
00:01
Now that domain controller is running
00:01
the role of the authentication service.
00:01
So my username is sent to the authentication service.
00:01
My password is placed on
00:01
hold on my computer, on my laptop.
00:01
As a matter of fact, it's handled by
00:01
the local security Accounts Manager.
00:01
My password, they are just
00:01
waiting for when it needs to be used,
00:01
but it is not sent across the network,
00:01
only my username is, all right?
00:01
Now the authentication service,
00:01
which I said was on a domain controller and it is,
00:01
will generate something called a TGT.
00:01
That stands for ticket granting ticket.
00:01
It's a ticket granting ticket
00:01
from the redundant Department of redundancy.
00:01
That TGT gets encrypted with the user,
00:01
me, with my password, it's weird.
00:01
So the authentication service knows who I am.
00:01
It stores a hash or my password.
00:01
So it generates this ticket granting
00:01
ticket and encrypts the ticket granting
00:01
ticket essentially with my password
00:01
that's sent across the network to me,
00:01
and if my password had been entered correctly,
00:01
I'm able to decrypt the TGT and I'm ready to go.
00:01
That TGT proofs,
00:01
I've come into the realm the proper way.
00:01
I can't really do anything with the TGT
00:01
except communicate with the ticket booth.
00:01
It's not the same as a ticket
00:01
that allows me to ride rides,
00:01
it's just a ticket granting ticket,
00:01
so that when I go to the ticket
00:01
granting service and say, hey,
00:01
I want to print server A,
00:01
I will be granted a ticket.
00:01
>> That's exactly what happens next.
00:01
I send my request to print to print server a,
00:01
the ticket granting service.
00:01
Ticket granting service comes back
00:01
and gives me a ticket to do so.
00:01
Now, I send that ticket that
00:01
proves I've been authenticated to print server a,
00:01
and I'm allowed to print.
00:01
Now, I want to access the database server,
00:01
for instance, back to the ticket booth.
00:01
I request to connect to
00:01
database server a. I send my ticket granting ticket,
00:01
which proves I authenticated.
00:01
The ticket granting service
00:01
comes back and gives me a ticket
00:01
to access database server a.
00:01
For every resource I'm going to access,
00:01
I go back to the ticket booth,
00:01
but I don't have to come in through
00:01
the admission booth more than once,
00:01
just one time and I'm allowed in
00:01
the realm back and forth to the ticket booth.
00:01
Now the reason you have to go back and forth to
00:01
the ticket booth is driven by what's on the ticket.
00:01
What I'd like to be able to do is
00:01
encrypt my messages to the network services.
00:01
But I want to use
00:01
symmetric cryptography because that's the
00:01
fastest and also it doesn't
00:01
require me to have a PKI setup.
00:01
So I want to use symmetric cryptography.
00:01
But if you go back to the discussion in Chapter 3,
00:01
remember the biggest problem with
00:01
symmetric cryptography is that you don't
00:01
have a way to securely distribute a symmetric key.
00:01
What Kerberos does is it
00:01
uses the ticket to distribute the symmetric key.
00:01
Here's how this works.
00:01
I send my TGT to the ticket booth,
00:01
the ticket granting service,
00:01
and I say I want to print to print server
00:01
a because of the fact that I have a TGT,
00:01
the ticket granting service says,
00:01
"I believe you're Kelly.
00:01
I believe you're cool. We're going to
00:01
let you print to print server a."
00:01
It generates a ticket and on that ticket are
00:01
two copies of the exact same session key.
00:01
Now that seems weird,
00:01
why would I need two copies?
00:01
Because one copy of
00:01
the session key is encrypted with my password.
00:01
I'm the user. What does that mean?
00:01
That means only I can access
00:01
that symmetric key if
00:01
I had entered my password correctly.
00:01
So the fact that I can even get this symmetric key
00:01
provides another authentication that I am who I say I am.
00:01
Voila, I have the symmetric key.
00:01
I'm going to use the symmetric key
00:01
to encrypt the print job,
00:01
send the ticket to the print server
00:01
where the second copy of
00:01
that symmetric key is encrypted with
00:01
the server's password or key,
00:01
meaning only that legitimate server
00:01
can decrypt the other instance of the symmetric key.
00:01
Because I am who I say I am,
00:01
I can decrypt the symmetric setting
00:01
key because the print server's
00:01
legitimate they can decrypt the symmetric session key.
00:01
Now we've authenticated each
00:01
other because of the fact that I know
00:01
what key to use to encrypt data and
00:01
the print server knows what key to decrypt data.
00:01
In addition to getting privacy in this step,
00:01
I'm also getting again,
00:01
authenticity between both principles,
00:01
and a principle of just entities on
00:01
the network that can exchange tickets and services.
00:01
Users or principles or servers or
00:01
services or principles or computers.
00:01
Kerberos usually takes folks a couple of
00:01
times where it really sinks in what's happening.
00:01
If you need to review this,
00:01
that's why we have
00:01
the beautiful rewind button
00:01
and you can go back and review this again.
00:01
What I want you to be able to do,
00:01
and I'm just going to hop back a couple of slides here.
00:01
I want you to be able to go
00:01
back to that previous section before
00:01
this one and go through
00:01
the components and I'd like
00:01
you to be able to justify what they mean.
00:01
We talked about the authentication service,
00:01
that's like our admission booth.
00:01
We talked about the ticket granting service,
00:01
which is like our ticket booth.
00:01
Now one thing I didn't mention is that the ticket
00:01
granting service and the authentication service,
00:01
they're are two different services
00:01
but they're run on the same machine.
00:01
We call that machine and it's a domain controller,
00:01
but we call it the key distribution center, the KDC.
00:01
That's the system running the TGS and the ALS.
00:01
Then the rest of these should make sense.
00:01
Just want to make sure that that description that we went
00:01
through with the Kerberos Carnival makes sense.
00:01
We can see the process and then I want you to be
00:01
able to explain the different roles in the carnival.
00:01
Now, also mentioned that Kerberos isn't bulletproof.
00:01
We have concerns like synchronization.
00:01
All systems on the network
00:01
have to be synchronized within five minutes.
00:01
If you're three minutes fast and I'm three minutes slow,
00:01
then we're out of synchronization
00:01
and Kerberos isn't going to work.
00:01
We're going to get a Kerberos error when we go to login.
00:01
We also have to be concerned that tickets as well
00:01
as passwords are stored on the local machine.
00:01
If there's compromise at the local machine,
00:01
that information could also be compromised.
00:01
We have single-point of failure because the KDC
00:01
is arguably the most important system on a domain,
00:01
because Kerberos is what allows you to authenticate,
00:01
if you can't authenticate you
00:01
don't get access to the domain.
00:01
Like I said, it's not perfect.
00:01
However, this has been
00:01
what we've primarily used for single
00:01
sign-on in Windows networks as well as
00:01
other networks for the past 30 or 40 years.
00:01
They must be doing something right.
00:01
Of course, it's gone through
00:01
various iterations throughout the years,
00:01
but it's still essentially the same.
00:01
Just to wrap up,
00:01
we talked about the Kerberos
00:01
Carnival and I really do hope
00:01
that helps you understand Kerberos and how it works.
00:01
Then we also talked about
00:01
some security issues potentially with Kerberos
00:01
and some things that we should think of when
00:01
implementing Kerberos in our network environment.
Up Next
Instructed By
Similar Content
