Computer
networks can be categories by their size as well as their purpose. The size of
a network can be expressed by the geographic area. Some of the different
networks based on size are:
LAN -
Local Area Network
MAN - Metropolitan
Area Network
WAN -
Wide Area Network
LAN (Local Area Network)
A local
area network (LAN) is a computer network that interconnects computers within a
limited area. Example: school, laboratory, university campus or office
building.
MAN (Metropolitan Area Network)
A
metropolitan area network (MAN) is a computer network that interconnects with
computer in a metropolitan area like city. MAN is a larger than LAN but smaller
than the area covered by a WAN. It is also used to interconnection of several
local area network.
WAN (Wide Area Network)
A wide
area network (WAN) is a computer network that exists over a large-scale
geographical area. A WAN connects different networks, including local area
networks (LAN) and metropolitan area networks (MAN). It may be located within a
state or a country or it may be interconnected around the world.
Summary of LAN – MAN – WAN
Figure: Summary of LAN MAN WAN
Comparison of LAN MAN and WAN
To learn more about Comparison of LAN MAN WAN, Click here
Computer
networks can be categories by their size as well as their purpose. The size of
a network can be expressed by the geographic area. Some of the different
networks based on size are:
LAN -
Local Area Network
MAN - Metropolitan
Area Network
WAN -
Wide Area Network
LAN (Local Area Network)
Figure: Local Area Network (LAN)
A local
area network (LAN) is a computer network that interconnects computers within a
limited area. Example: school, laboratory, university campus or office
building.
LAN is
widely used for shared medium peer-to-peer communications. Using LAN not only
computer but access printer, plotter, database server etc. Range of LAN is
single building or campus of up to few km in range. The range of LAN is maximum
5 Kms. Speed of LAN 10/100/1000 Mbps. The LAN is used as private network.
MAN (Metropolitan Area Network)
Figure: Metropolitan Area Network
A
metropolitan area network (MAN) is a computer network that interconnects with
computer in a metropolitan area like city. MAN is a larger than LAN but smaller
than the area covered by a WAN. It is also used to interconnection of several
local area network. Range of MAN is 10 km to 100 km. Speed of MAN is 100 Mbps. MANs
are based on optical-fibre transmission technology an provide high speed
interconnection between sites. It can support both data and voice. IEEE
standard of MAN is 802.6.
WAN (Wide Area Network)
Figure: Wide Area Network (WAN)
A wide
area network (WAN) is a computer network that exists over a large-scale
geographical area. A WAN connects different networks, including local area
networks (LAN) and metropolitan area networks (MAN). It may be located within a
state or a country or it may be interconnected around the world. Range of WAN
is beyond 100 km. Speed of WAN is 10 Mbps.
Computers
connected with network are known as end systems in network. The end system is
also known as Host.
For
Example, Workstations (PCs / Laptop), TVs and set top boxes, CCTV Cameras, Household
Applications, Mobile Phones.
Figure: End System in Computer Network
Categories of Host
Hosts can
be further divided into two categories: Client and Server.
Figure: Client and Server in Computer Network
Client Server Architecture:
Client:
The
individual workstation in network is called Client. Client send a request to
server, when client wants an access server. The software run at the client
machine is called as client program. Ex., Browser.
Server:
The
central computers which is more powerful than clients, no one access server
without authentication. Ex., File server, database server, print server. Server
provides services as per client request.
The
software run at the server machine is called as server program. Ex., Xampp,
File server.
A group
or system of interconnected people or things.
Example: Group
of People (social media), Railway tracks, Highways, Branch offices connected
with Head Office.
Figure: Social media network
Figure: Railway track network
What is Computer Network?
Two or more
computer systems connected with each other is known as computer network.
Example: Intranet,
Internet.
Figure: Internet and Intranet
Figure: Network Topology
What is Internet?
The
internet is a type of world-wide computer network. Internet is a “network of
networks”. Internet is consisted of academic, business and government networks,
which carry various information and services. It is global communication
accessed through the web. Internet deals with protocols and standards.
Example: E-mail,
Web access and services, file transfer
Protocols:
A
protocol is a set of rules that governs data communications. Protocol defines
the method of communication, how to communicate, when to communicate etc.
Figure: Protocol Syntax
Syntax: Syntax
means format of data or the structure how it is pretend.
For example, first
eight bits for sender address, next
eight bits for receiver address, rest of
the bits for message/information.
Semantics:
Semantics is the meaning of each section of bits e.g. The address bit means the
route of transmission or final destination of the message.
Timing: Timing
means, at what time data can be sent and how fast data can be sent or received.
Standards:
Standards
provide guidelines to the manufacturers, vendors, government agencies and
service provider. It ensures that interconnectivity and compatibility of the
device. Standards help in maintaining market competitiveness and guarantees
interoperability. Data
communication standards are of two categories: De facto and De
Jure.
De facto: De facto
means by facts or by convention. The standards that are not approved by any
organization but are widely used are De facto standards. These are established
by manufacturers.
De jure: De jure
means by law or by regulation. These are the standards that are recognized
officially by an organization.
To learn more about Understand of Network and Internet, Click here
A
full-service Kerberos environment consists of a Kerberos server, a number of clients,
all are registered with Kerberos server, a number of application servers, all
are sharing keys with Kerberos server. Such an environment is referred to as a Kerberos
realm.
Figure : Kerberos Version 4 Message Exchange Scenario
Step – 1: The
client sends a message to the AS requesting access to the TGS. It includes a
timestamp, so that the AS knows that the message is timely.
Step – 2: The AS
responds with a message, encrypted with a key derived from the user’s password
(KC), that contains the ticket. The encrypted message also contains
a copy of the session key, KC, tgs, where the subscripts indicate
that this is a session key for C and TGS. Because this session key is inside
the message encrypted with KC, only the user’s client can read it.
The same session key is included in the ticket, which can be read only by the
TGS. Thus, the session key has been securely delivered to both C and the TGS.
Step – 3: C sends
TGS a message that includes the ticket plus the ID of the requested service. In
addition, C transmits an authenticator, which includes the ID and address of
C’s user and a timestamp. The TGS uses the session key to decrypt the
authenticator. The TGS can then check the name and address from the
authenticator with that of the ticket and with the network address of the
incoming message. If all match, then the TGS is assured that the sender of the
ticket is indeed the ticket’s real owner.
Step – 4: Reply
message from TGS is encrypted with KC, tgs and includes a session
key to be shared between C and the server V, the ID of V, and the timestamp of
the ticket. The ticket itself includes the same session key.
Step – 5: When C
sends ticket and an authenticator. The server can decrypt the ticket, recover
the session key, and decrypt the authenticator.
Step – 6: The server returns the value of the timestamp from the authenticator,
incremented by 1, and encrypted in the session key. C can decrypt this message
to recover the incremented timestamp. Because the message was encrypted by the
session key, C is assured that it could have been created only by V. The
contents of the message assure C that this is not a replay of an old reply.
Summery of Kerberos version 4 message exchange scenario
To learn more about Kerberos Version 4 message exchange, Click here
Kerberos:
Kerberos is a network authentication protocol that works on the basis of
tickets to allow nodes communicating over a non-secure network to prove their
identity to one another in a secure manner.
Different Version of Kerberos Protocols
Using Authentication Server (AS)
Step – 1: In this
scenario, the user logs on to a workstation and requests access to server V. The
client module C in the user’s workstation requests the user’s password and then
sends a message to the AS that includes the user’s ID, the server’s ID, and the
user’s password. The AS checks its database to see if the user has supplied the
proper password for this user ID and whether this user is permitted access to
server V. If both tests are passed, the AS accepts the user as authentic and
must now convince the server that this user is authentic.
Step – 2: To do
so, the AS creates a ticket that contains the user’s ID and network address and
the server’s ID. This ticket is encrypted using the secret key shared by the AS
and this server. This ticket is then sent back to C. Because the ticket is
encrypted, it cannot be altered by C or by an opponent.
Step – 3: With
this ticket, C can now apply to V (Server) for service. C sends a message to V
containing C’s ID and the ticket. V decrypts the ticket and verifies that the
user ID in the ticket is the same as the unencrypted user ID in the message. If
these two matches, the server considers the user authenticated and grants the
requested service.
Problems:
Problem –
1:
Under this scheme, a user would need a new ticket for every different service.
If a user wants to access a print server, a mail server, a file server, and so
on, the first instance of each access would require a new ticket.
Problem –
2:
In this scheme, password is transmitted without encryption. An eavesdropper
could capture the password and use any service accessible to the victim.
Using Ticket Granting Server (TGS)
Step – 1: The
client requests a ticket-granting ticket on behalf of the user by sending its
user’s ID to the AS, together with the TGS ID, indicating a request to use the
TGS service.
Step – 2: The AS
responds with a ticket that is encrypted with a key that is derived from the
user’s password (KC), which is already stored at the AS. When this response
arrives at the client, the client prompts the user for his or her password,
generates the key, and attempts to decrypt the incoming message. If the correct
password is supplied, the ticket is successfully recovered. Thus, we have used
the password to obtain credentials from Kerberos without having to transmit the
password in plaintext. Here, the opponent may be able to reuse the ticket to
spoof the TGS. To counter this, the ticket includes a timestamp, indicating the
date and time at which the ticket was issued, and a lifetime, indicating the
length of time for which the ticket is valid.
Step – 3: The
client requests a service-granting ticket on behalf of the user. For this
purpose, the client transmits a message to the TGS containing the user’s ID,
the ID of the desired service, and the ticket-granting ticket.
Step – 4: The TGS
decrypts the incoming ticket using Ktgs and verifies the success of the
decryption by the presence of its ID. It checks to make sure that the lifetime
has not expired. Then it compares the user ID and network address with the
incoming information to authenticate the user. If the user is permitted access
to the server V, the TGS issues a ticket to grant access to the requested
service.
Step – 5: The
client requests access to a service on behalf of the user. For this purpose,
the client transmits a message to the server containing the user’s ID and the
service-granting ticket. The server authenticates by using the contents of the
ticket.
Problems
Problem –
1:
A network service (the TGS or an application service) must be able to prove
that the person using a ticket is the same person to whom that ticket was
issued.
Problem –
2:
There may be a requirement for servers to authenticate themselves to users.
Without such authentication, the false server would then be in a position to
act as a real server and capture any information from the user and deny the
true service to the user.
Solution
AS
provides both the client and the TGS with a secret piece of information in a
secure manner. Then the client can prove its identity to the TGS by revealing
the secret information—again in a secure manner. An efficient way of accomplishing this is to
use an encryption key as the secure information; this is referred to as a
session key in Kerberos.
To learn more about Kerberos Version 4, Click here
Kerberos:
Kerberos is a network authentication protocol that works on the basis of
tickets to allow nodes communicating over a non-secure network to prove their
identity to one another in a secure manner.
What do the three heads of Kerberos
represent?
Kerberos is
a three-step security process used for authorization and authentication. The three-heads
of Kerberos are:
1-User,
2-KDC-Key
Distribution Service (security server) and
3-Services
(servers).
Kerberos is
a standard feature of Windows software.
Why Kerberos?
Kerberos is
an authentication protocol that is used to verify the
identity of a user or host. The authentication is based on
tickets used as credentials, allowing communication and proving
identity in a secure manner even over a non-secure network.
Characteristics of Kerberos
Secure: Kerberos
should be strong enough that a potential opponent does not find it to be the
weak link.
Reliable: For all
services that rely on Kerberos for access control, lack of availability of the
Kerberos service means lack of availability of the supported services. Hence,
Kerberos should be highly reliable and should employ distributed server
architecture, with one system able to back up another.
Transparent: Ideally,
the user should not be aware that authentication is taking place, beyond the
requirement to enter a password.
Scalable: The
system should be capable of supporting large numbers of clients and servers.
This suggests a modular, distributed architecture.
Kerberos Protocol Terminology
Figure : Block Diagram of Kerberos server
Authentication
Server (AS): A server that issues tickets for a desired
service which are in turn given to users for access to the service.
Client: An
entity on the network that can receive a ticket from Kerberos.
Credentials: A
temporary set of electronic credentials that verify the identity of a client
for a particular service. It also called a ticket.
Credential
cache or ticket file: A file which contains the keys for encrypting
communications between a user and various network services.
Crypt
hash: A one-way hash used to authenticate users.
Key: Data
used when encrypting or decrypting other data.
Key
distribution centre (KDC): A service that issue Kerberos tickets and
which usually run on the same host as the ticket-granting server (TGS).
Realm: A
network that uses Kerberos composed of one or more servers called KDCs and a
potentially large number of clients.
Ticket-granting
server (TGS): A server that issues tickets for a desired
service which are in turn given to users for access to the service. The TGS
usually runs on the same host as the KDC.
Ticket-granting
ticket (TGT): A special ticket that allows the client to obtain
additional tickets without applying for them from the KDC.
Working of Kerberos
Step 1:
(Fig 1)
The AS,
receives the request by the client and verifies that the client.
Figure : Authentication Service verifies the User ID
Step 2:
Upon
verification, a timestamp is created with current time in a user session with
expiration date. The timestamp ensures that when 8 hours is up, the encryption
key is useless.
Step 3:
(Fig 2)
Figure : Authentication Service issues TGT
The key
is sent back to the client in the form of a TGT.
Step 4:
(Fig 3)
Figure : Client submits TGT to TGS
The
client submits the TGT to the TGS, to get authenticated.
Step 5:
(Fig. 4)
Figure : TGS grants client the service ticket
The TGS
creates an encrypted key with a timestamp and grants the client a service
ticket.
Step 6:
The
client decrypts the ticket & send ACK to TGS.
Step 7
(Fig. 5)
Figure : Service server decrypt key and check the time stamp
Client
sends its own encrypted key to the service server.
The
server decrypts the key and check timestamp is still valid or not.
Step 8:
(Fig. 6)
Figure : For secret keys communication initiated
The
client decrypts the ticket. If the keys are still valid, communication is
initiated between client and server. Now the client is authenticated until the
session expires.
Is Kerberos symmetric or asymmetric?
Kerberos
is capable of both symmetric and asymmetric cryptography.
Is Kerberos safe?
Kerberos is
more secure than other authentication methods because it does not
send plain text pass- words over the network and instead of password uses
encrypted tickets.
To learn more about Kerberos Terminology & Working, Click here
