Authentication Protocols

Kerberos:
Kerberos is a network authentication protocol that ensures secure communication between client and server
applications over an insecure network. Kerberos is a three step security process used for authorization and
authentication. Kerberos is a standard feature of Windows software. The three heads of Kerberos are:
1. User
2. Key Distribution Service (KDS) i.e. Security Server
a) Authentication Server (AS)
b) Ticket Granting Server (TGS)
3. Services (servers)

Benefits of Using Kerberos:

 Security: Passwords are not repeatedly sent over the network.
 Single Sign-On (SSO): Users authenticate once and can access multiple resources without re-entering
credentials.
 Mutual Authentication: Both user and server can verify each other's identity.

Working of Kerberos:
1. Initial Authentication:
 When you log in, your computer contacts the Key Distribution Center (KDC) to request a Ticket Granting
Ticket (TGT).
 The KDC verifies your credentials and issues a TGT, which is encrypted with a session key.
 You store this TGT locally.
2. Accessing a Service:
 Suppose you want to access a file server.
 You request a service ticket from the KDC using your TGT.
 The KDC validates your request and issues a service ticket encrypted with the server’s secret key.
 You send this service ticket to the file server.
3. Service Authentication:
 The file server decrypts the service ticket using its secret key.
 If the decryption succeeds, you’re authenticated, and the server grants access.
4. Session Key:
 The session key from the TGT is used for secure communication between you and the file server.
 All subsequent communication between you and the service uses this session key for encryption and
decryption.
Hypothetical example: (Only for understanding purpose)
Imagine a secure office building where only authorized employees can enter and access various rooms. The building has
a security system managed by a guard named Kerberos.
Here's how the Kerberos authentication protocol works using this analogy:

Step 1: Request for Access

 Alice (the employee) wants to enter a secure area (like a server in a computer network).
 Alice approaches the front desk (Kerberos Authentication Server, or AS) and asks for access.
 To prove she's an employee, Alice shows her ID (her username) and password to the guard (AS).
Step 2: Authentication
 The guard (AS) checks Alice's credentials against the employee database (authentication database).
 If the credentials are correct, the guard (AS) gives Alice a Ticket Granting Ticket (TGT). This TGT is like a special
access card that proves Alice is authenticated but doesn't grant direct access to any secure rooms yet.
Step 3: Request for Service Ticket
 Alice now wants to enter a specific secure room (access a specific service on the network).
 She goes to the guard's colleague (Ticket Granting Server, or TGS) with her TGT.
 Alice requests access to the specific room by presenting her TGT.
Step 4: Service Ticket Issuance
 The TGS checks the TGT to ensure it’s valid and that it’s indeed from the guard (AS).
 If valid, the TGS issues a Service Ticket for the specific room (service). This ticket is like a keycard that only works
for that room.
Step 5: Access the Service
 Alice takes this Service Ticket and goes to the door of the specific room (the service she wants to access).
 She presents the Service Ticket to the security system at the door (the service itself).
 The door's security system checks the ticket and, if it’s valid, allows Alice to enter the room (access the service).

Recap:
 Kerberos Authentication Server (AS): Verifies user credentials and issues a TGT.
 Ticket Granting Server (TGS): Issues service-specific tickets based on the TGT.
 Service Ticket: Grants access to specific services..

Real-life Analogy:
 Alice: Employee/User
 Guard (AS): Initial authentication server that checks credentials.
 TGT: Proof of initial authentication (general access card).
 Guard's colleague (TGS): Issues specific room access (service tickets).
 Service Ticket: Specific access card for the desired room/service.

Kerberos ensures that each step is secure, using encrypted tickets that prove the user’s identity and access rights
without repeatedly exposing passwords.

Other Authentication Protocols:

LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information. A directory in this
context is like a phonebook that contains information about users, devices, and other resources within a network.
Think of LDAP as an electronic version of a company's phonebook, where employees can look up each other's contact information, job
titles, departments, etc. The LDAP server is the central place where this information is stored and managed.
Components:
 Directory Information: Information stored in the directory, such as names, addresses, phone numbers, and email
addresses.
 LDAP Server: The server that hosts the directory.
 LDAP Client: The application or system that queries the LDAP server for information.
OAuth 2.0 (OAuth2) is a protocol that allows you to grant third-party applications limited access to your resources
without sharing your actual passwords. It's like giving someone a special key that only opens certain doors, not all the
doors in your house.
(Imagine you have a locker at the gym. You want your friend to pick up your shoes from your locker, but you don't want
to give them your main locker key, which also works for your home, car, etc. Instead, you give them a temporary,
limited-use key that only opens your locker for a short period.)
Components:
 Resource Owner: The person who owns the resources (you, the user).
 Client: The third-party application that wants to access the resources (e.g., a fitness app).
 Resource Server: The server where the resources are stored (e.g., your gym locker).
 Authorization Server: The server that issues access tokens (e.g., the gym manager who gives out the temporary
keys).
 Access Token: The temporary key that the client uses to access the resources.

SAML (Security Assertion Markup Language) is a protocol that helps with single sign-on (SSO), allowing users to log in once and
gain access to multiple applications or services without needing to log in again for each one. It's like having a master key that lets you
open several doors without needing a separate key for each door.
(Imagine you have a membership card for a gym. When you enter the gym, you show your membership card at the front desk. The front
desk verifies your membership and gives you a wristband. With this wristband, you can access different areas of the gym (e.g., pool,
sauna, weight room) without having to show your membership card again at each door.)
Key Concepts/ Components:
 User (Principal): The person who wants to access multiple applications or services (you).
 Identity Provider (IdP): The system that authenticates the user and issues identity information (the gym front desk).
 Service Provider (SP): The applications or services the user wants to access (pool, sauna, weight room).
 Assertion: A message from the IdP to the SP that asserts the user's identity and other attributes (the wristband).

RADIUS (Remote Authentication Dial-In User Service) is a protocol used for authenticating, authorizing, and accounting users who
connect to a network service. It's commonly used by Internet Service Providers (ISPs) and enterprises to manage access to the network.
(Imagine you have a club with a secure entrance. The club employs a bouncer (RADIUS server) who checks members' IDs (user
credentials) before allowing them inside. The bouncer also keeps a log of when members enter and leave the club.)
Key Concepts:
 User (Client): The person who wants to access the network (e.g., an employee or a customer).
 RADIUS Client: The network device (e.g., a router, switch, or Wi-Fi access point) that receives the user’s request and forwards it
to the RADIUS server.
 RADIUS Server: The server that verifies the user's credentials and grants or denies access.
 Authentication: Verifying the user's identity.
 Authorization: Determining what resources the user is allowed to access.
 Accounting: Keeping track of the user's activity (e.g., when they logged in and out).

X.509 Authentication Service is a standard for public key infrastructure (PKI) that defines how digital certificates are used to verify
identity over a network. These digital certificates are like digital passports that prove the identity of users, devices, or services.
(Imagine you have a passport issued by your government. When you travel to another country, border control checks your passport to
verify your identity. Similarly, in the digital world, an X.509 certificate serves as a digital passport that proves your identity to other
parties.)
Key Concepts:
 Digital Certificate: A digital document that contains information about the identity of a user, device, or service,
along with a public key.
 Public Key: A key that can be shared openly and is used to encrypt data or verify digital signatures.
 Private Key: A secret key that is kept private and is used to decrypt data or create digital signatures.
 Certificate Authority (CA): An entity that issues and verifies digital certificates. It acts like a government issuing
passports.
 Certificate Chain: A hierarchy of certificates that link back to a trusted root certificate issued by a CA.