Taming Kerberos - Computerphile

preview_player
Показать описание
Kerberos is an authentication method - Dr Mike Pound explains how it works so neatly.


This video was filmed and edited by Sean Riley.


  1. Computerphile
  2. computers
  3. computerphile
  4. computer
  5. science
  6. University of Nottingham
Рекомендации по теме
Taming Kerberos - 0:16:06

Taming Kerberos - Computerphile

DNS Cache Poisoning 0:11:04

DNS Cache Poisoning - Computerphile

Mike Pound explains 0:00:27

Mike Pound explains where Machine Learning fits in AI

Mike Pound introduces 0:00:59

Mike Pound introduces himself

What's Behind Port 0:14:06

What's Behind Port Smash? - Computerphile

VPN & Remote 0:13:38

VPN & Remote Working - Computerphile

TCP Meltdown - 0:14:52

TCP Meltdown - Computerphile

Breaking RSA - 0:14:50

Breaking RSA - Computerphile

MİTOLOJİK EFSANESİ KERBEROS 0:11:17

MİTOLOJİK EFSANESİ KERBEROS

Kerberos Presents Shorts: 0:00:33

Kerberos Presents Shorts: Can You Hear Me Now?

Kerberos Presents Shorts: 0:00:16

Kerberos Presents Shorts: Down the Tube

Post Office Horizon 0:16:27

Post Office Horizon Scandal - Computerphile

Contact Tracing Technology 0:25:03

Contact Tracing Technology - Computerphile

The Joys of 0:13:06

The Joys of Updating & Upgrading - Computerphile

GPT-2: Why Didn't 0:09:11

GPT-2: Why Didn't They Release It? - Computerphile

Attacking active directory 0:06:17

Attacking active directory | kerberoasting

How Autofocus Works 0:18:24

How Autofocus Works - Computerphile

RegEx Roman Numerals 0:17:14

RegEx Roman Numerals - Computerphile

Протокол Kerberos 0:31:05

Протокол Kerberos

Data Analysis - 0:00:53

Data Analysis - Computerphile

SANS Webcast: Kerberos 0:46:38

SANS Webcast: Kerberos & Attacks 101

ALGOL 60 at 0:14:06

ALGOL 60 at 60 - Computerphile

The Video Conferencing 0:28:10

The Video Conferencing Problem - Computerphile

Coding Trees in 0:21:27

Coding Trees in Python - Computerphile

Комментарии
Автор

I love how Mike Pound explains cryptography. He's my favorite guy of all Computerphile, next to Tom Scott, that is.

jlxip
Автор

8:08 "My very well drawn curly brackets" -- damn right those are well drawn! That will make it extra secure.

cyphern
Автор

3:07 - “It’s an absolute mess”. Actually, it’s a full mesh! ... I will show myself out ...

cherrymountains
Автор

The separation between the S and T servers is the separation between _authentication_ (proving you are who you say you are, done by S) and _authorization_ (what services you are allowed to access, controlled by T). Each one can be updated independently.

lawrencedoliveiro
Автор

This is HANDS DOWN the BEST description of how Kerberos works. Straight forward, easy to understand. I feel like I truly understand it now, vs just having a general idea of what it does. Thanks so much for this great content!!❤❤❤

Luckyunny
Автор

Hands-down the best explanation I've seen about kerberos auth mechanism on the internet.

bharatirajanvss
Автор

I can't say this enough. I LOVE this channel and how well everything is explained! Dr. Pounds videos are my favorite as he's just so likable and amazing at his explanations. Keep up the amazing work everyone!

mattwalker
Автор

This is a brilliant explanation! I've been working with KRB (MIT and Heimdal) and OpenAFS for a decade, but recently moved to (samba) AD. Kerberos is my friend! The most common failure of both is clock offsets! If the lifetime doesn't match or the timestamp is in the future, it throws funnies. never had any serious issues in those 10 years. KDCs just keep on working

WouterWeggelaar
Автор

first heard of Kerberos nearly 30 years ago but never used it, this is the first time I've actually gotten a high-level overview that was super easy to understand - thank you!

gplustree
Автор

The best and most in depth explanation of the Kerbaros protocol on YouTube. Thank you!

gmrlk
Автор

Woo, finally something I'm close to understanding and actually has something to do with my work.

spacebar
Автор

Would love to see Dr. Mike Pound do a video on JSON Web Tokens!!

longliveriley
Автор

12:48 I can just picture a lonely server spinning up disks that have been idle for years, like oh yea someone still wants me 😂

aaronwilliams
Автор

"B is just sitting on the network waiting for people to talk to it"
Same, B, same.

Blue-tzpd
Автор

This is a decent retro perspective on hard coding server based authority networking. Thank you for your efforts.

Back in the early nineties we used this with Norvell for user based authentication for both bridges and simple internal routing via IPX.

Cool to see it being reimplimated for wide distribution systems. Our biggest concern back then was Chatterbox, inbound exchanges outside of our secured internal networks with disparate network protocols. IP was not a standard like today.

stephenm
Автор

3:01 Kerberos and mike draws a pentagram lol

NotATakenHandle
Автор

What an elegant design! And well explained Professor!

hnasr
Автор

For those wondering why the timestamp T is necessary throughout most of the video, wait until near the end where Mike explains that it's a way to defend against an imposter. It's perfectly understandable why this was discussed only near the end (13:53). Be patient, it's explained in the video.

citimatters
Автор

It is worth mentioning that in AD, the authorization is split between the ticket granting service and the target resource (in this case the file server). The ticket will also carry information about group membership, which will allow the file server to determine whether the user trying to access it is allowed, or is a member of a group that is allowed to access the server. Also worth mentioning that because of all these timestamps floating around, it is imperative that all these systems have the same time.

helshabini
Автор

Great explanation as always. I've also made a few videos about kerberos myself recently, mainly demonstrating some of the ways to circumvent the security of it.
Oh and one small correction: in active directory its not the authentication server or KDC that decides if the user is allowed to access the service its requesting a ticket for - its up to the service on the file server etc to decide if the user is allowed in or not. All the KDC does is "guarantee" that the user is who they say they are. So yeah any user can request a ticket for any service that supports kerberos auth, which is a bit of a security issue because now anyone can get hold of some data that was encrypted using the password of the user account running that service, and they can then brute force that offline to get the password.

vbscrub