The Kerberos Authentication Process (kerberos_v2.mov)
HTML-код
- Опубликовано: 13 июн 2024
- This movie was provided on a CD with the book "OS X Server Essentials", By Schoun Regan (2006), with the filename "kerberos_v2.mov". Despite its age, it's still one of the best explanations of Kerberos I've ever seen.
Unfortunately, later updates to Quicktime broke playback of this movie. (see discussions.apple.com/thread/.... I tried a bunch of versions of VLC but it couldn't play the movie either.
I had to go through contortions to get this movie in a modern format: I setup a Mac OS 9 virtual machine using Sheepsaver and played the movie in it while recording the screen with Fraps. 
Наука
This is the best explanation of Kerberos I've found on the net
The best Kerberos video I have ever watched. Thank you very much
Your work on recording this is greatly appreciated :)
Crystal clear explanation. This helped me. Thank you.
awesome explanation, I have seen many videos but this is really explained very well .
Excellent explanation! I finally understand it after reading several online article!
Very effective and clear explanation !!!! Great job ...
Explained extremely well! thank you
I have to Admit! This is Indeed one of the most clear Explanations, I have been a witness of on Internet. Thank You!
A great video. Early days into my CISSP and provides some clarity in the first topic 'Access Control'
I think the video doesn't explain a vital piece of data: in stafe one, when the client sends the request to the tgs, the request packet (the one that has only the username) is encrypted with a key obtained with the user's password. The tgs, which has a database of the passwords, creates a key with the real user's password, and tries to decrypt the packet. If it succeeds, the passwords match and the process can continue. If it fails, the passwords didn't match and the authentication fails.
Thank you for your comment, they keep boasting the whole video about how passwords are never sent over the network, but then don't explain how the very first initial request is authenticated. To spell out the question I had, how does the KDC/TGS know that I am truly who I say I am if I didn't provide a password? Your comment tries to explain this. Thanks.
Such a stupid mistake I immediately checked comments to find someone else who realized the mistake
Sir your hard work to get this video is worthfull thank you
Brilliant ; this video helped me a lot to understand kerberos working ; Thankyou so much ;
Awesome video. Thank you
Very well explained
Great Explanation. Thanks.
Good explanation, thank you
very clear explanation thanks
There is something I dont get : After the KDC sent a copy of the new session key and the encrypted TGS ( using the service private key) with the previous session key, the client decrypt the packet using the previous session key, right ! Then he uses the new session key to encrypt his authenticator ( he doesnt decrypt the encrypted TGS 'cause he doesn't know the key). Then he send the packet to the service server. My question is how the service server decrypt the client's packet ? After he gets the new session key by decrypting the TGS, encrypted with his private key. But how does he open the packet ? Or more precisely how does the client encrypt the whole packet or does he not ?
beautiful
Could someone please help me understand the following:
1. Is the initial{"Hi, I'm Chris" @ 5:32} packet encrypted with anything or sent in Clear Text?
2. The packet sent by the client @ 08:00 which contains "TGT, Authenticator & Requested Service" is encrypted or sent as Clear Text?
No doubt, this is one of the best explanations that I've seen, no other video mentions the Authenticator and the contents of the various packets like this one did. I wish the standard terms like KRB_AS_REQ, KRB_AS_REP, KRB_TGS_REQ & KRB_TGS_REP etc. were also included.
Really Nice !!
you are great,clear explanation ,thank you so much
a very useful video
cool n concise explanation.
very good
Very good explanation. Only one thing i din't understand here is at 9:23 where the KDC sent the ticket signed with server key and authenticator signed with the new session key. I don't see that it's been shared with the actual backend server then how the backend server was able to decrypt the authenticator header
+ItIsFullyFaltu I don't think it actually decrypt that ticket. It just found the ticket which eventually means that this request must have gone through the KDC and servers the request. :)
service ticket encrypted with service's private key has the new session key.when service ticket is decrypted by the service it can get the new session key using which it can decrypt the authenticator.hope I understood uour question correctly.
great video
How KDC gets the user password initially. Or how does the Key exchange between KDC and Client happen?
realy good explanation...
nice thnks for giving a detailed explanantion
How did the mail server de-crypt a packet which was encrypted using a new session key by the client using its private key ?
at 9:28 the new session key, used for opening the authenticator, is in the Service Ticket, which can be opened only by the mail server.
Looks like the packet sent by the client, containing the Service Ticket and the authenticator, is not encrypted with the private key of the client.
The new session key is placed in the service ticket. The service server uses its own private key to open this service ticket and get this new session key which is then used to open the NEW authenticator (the packet you are asking about).
nice explaination
2:28 why is easy to find an encrypted password? If you use RSA doesn't mean that is safe?
This is a very concise video , really it could have been explained in better way .Awesome video
well explained ..
i'm constantly wondering if this is TTS or a real person
EmoPunkSupport a real person.
how Mail server decrypts the new authentication without new session key?
It's in the Ticket he decrypted using his private key
i understood clearly
I didn't understand 8:48 - 9:35
When the KDC created a new shared session key (k2) and sent it along with the service-prinicipal-private-key-encrypted authenticator .... using previously created session key (k1). This part I understood.
The client decrypting this whole packet using prev created session key (k1) is okay. From this it obtained the latest temporary session key (k2). Now ..
The video says - the client uses this newly created session key to encrypt the authenticator it got from KDC and sends this K2-encrypted packet to the service.
How the heck does the service knows to decrypt the k2-encrypted packet ? Once it does I understand that it can decrypt the authenticator within the packet using it's private key that only itself and the KDC share ..
Is there a step I'm missing - where - the KDC also shared the k2 with the Service Principal *(the mail server in this case) ?
That'd make sense. -- when it created a new session key (K2) -- it should send this K2 to Service - too using Service's private key - so that .. Service knows -
1) To expect a new request from client.
2) How to decrypt this request .. as the client will use K2 to encrypt it.
Is this right ?
Services has the new session key. It got by decrypting the Service ticket which contained 4 things:-
1. Username
2. Requested Service
3. Client's IP
4. New session key
By using this new session key it decrypts the authenticator.
Yes. I too missed it. Thanks.
Please Closed Captions in Portuguese-Br
Gustavo is right, but the rest is really an excellent presentation, have not seen this trainer before.
cool!!!!!!!!!!!!!!!!!!!!1
goood
Superior video here:
ruclips.net/video/kp5d8Yv3-0c/видео.html
big vid
This is a brain fuck but it’s explained nicely
Kerberos is pronounced thus: ruclips.net/video/w9ZKfRPC8Xw/видео.html