Taming Kerberos - Computerphile

Why doesn't 'S' send the ticket granting ticket (first red message) to 't' itself instead of having 'a' send it to 't', similarly why doesn't 't' do that with 'b'?

I had to implement Kerberos SSO support for the software that my company makes. I had no idea what all the settings did, but now it all makes sense.

Thank you so much Mike for these videos. I'm taking the security + right now and I would be lost without you. Your video's really help to solidify the text.

damned, you gave me an earworm i could really live without with... at least share it now: 'you're the keeper of the seven keys...' (to be imagined sung in a mans nasal head voice, over-layed by the tortured sounds of a mistreated guitar)

would be very nice if you put all those crypto/network videos into a playlist (sorry if you already did, just couldn't see it)

Mike you should be a Professor at MIT or Harvard ! You are the best !

would not the ticket-granting-tickets be a vulnerability? couldn't you take the known information encrypted with Kst and reverse-engineer it?

I find encryption and cryptography tedious! Always hate it when I click a Computerphile video and it's about this subject 😟 There's a lot of them too.

If "ticket server" sends Kbt{Kab, A, L}, and if A knows Kab, A and L-- A can get Kbt... right?

Mikes face in the thumbnail looks like he was just selected as tribute to fight actual Kerobos

How does this scheme handle NFS and SMB folder permissions? This looks pretty all or nothing. I expect the answer to be pretty involved.

brilliantly explained, thank you

Great video, so well put and easy to understand. I imagine this is how Jared would look if he had decided to go down the tech road and not biz dev.

Well explained thanks!

U of N seems to have all the remaining fanfold paper.

Wonderful video!
I don't get how the long term key Kas is shared between the Kerberos server and computer A.

Wow

Yup.this is it. This is what im battling rn. Im currently waiting on cmos to clear cause i , after 2 weeks of research, have disabled it hiding from filechecker. Im giving my a full day draining of electrons jist in case theres a rootkit hidden somewhere idk about. I then just have to delete the couple of roots put on my win10 usb via ufi shell then repartition all my drives in windows installer and i should be rid of all the rootkits and the end of a 3 fkn week battle.
Wish me luck.
If anyone smarter than me reads this and knows im wrong PLZ respond. Im sick of this thing. I want my pc to myself again...

I just came across this in my reccomendations and i dont even wanna know what they do to computers in this channel.

Your best video Mike.

I love how every time he says "thats why kerberos is so clever" my security-focused brain says "no, thats why it is so easy to perform lateral movement with kerberos" :D

A wonderful video on how Kerberos works!

its crazy that all this happens whenever I log onto a computer at school

you all told about Kerberos tens of years but no one said about Java modules epic fail in Linux/Windows environment that don't support MIT Kerberos cred cache algorithm. The cunning Oracle and Hadoop guru cry with foaming at the mouth to prove thousands of tickets per second are a security feature, not a awful bug. If you can't authenticate Java threads so buy millions of CPU cores. When they are poken to full RFC supported C and python, they cry those languages are trash.

When he started drawing a pentagram I thought he was going to summon kerberos

first heard of Kerberos nearly 30 years ago but never used it, this is the first time I've actually gotten a high-level overview that was super easy to understand - thank you!

I've always hated Active Directory. I feel I was unfair.

this guy is just amazing ! great explanation =)

Hi, I'm a bit confused about A B and T and have 2 questions. From the video, A received a short-term K_at from S in order to talk to T. Later, T send A a key K_ab encrypted in K_bt.

1. The K_bt was said to be long-term. It is supposed to be short-term, right?
2. Similar to K_at being granted from S, K_bt should have been granted from S at an earlier time when B authenticated with S, right? Or is it some other time?

wunderbar !!

This is HANDS DOWN the BEST description of how Kerberos works. Straight forward, easy to understand. I feel like I truly understand it now, vs just having a general idea of what it does. Thanks so much for this great content!!❤❤❤

Amazing teacher. Thank you!

why would you not directly get access from S to B? logging?

I am exception to the comments here. I did not understand after 10 minutes of the presentation.

When I saw him using a tabulation paper with those green lines I subscribed immediately 😊

Hands-down the best explanation I've seen about kerberos auth mechanism on the internet.

Excellent4!

I once had to do some Service Principal configuration & administration with Kerberos in AD. That was >10 years ago. I still have nightmares.

basically, Cerberus is like when you ask your friend friend's number, but your friend's friend ask your friend if it is legit.

Can you make a NTLM authentication video please :)

Terrible explanation, but thanks for trying!

Outstanding video. I have seen so many videos on Kerberos but could not understand them. This video made it crystal clear to me. Thank you very much.

But the first time when I'm setting up the password I am using public key cryptography, right?

How come B has a long term key with T? What if want to talk to a machine that’s just like me that has no long term key with T? How does it decode the message I pass to it from T? 🤔 Or that’s never the case?

Best explanation of Kerberos on the internet!!

how is kerberos going to block u from contacting another computer ??

Funny thing about Active Directory thr database file isn’t even encrypted by default…not that everyone uses a safe that weighs 20000 kg to store its password in. Also it assumes you can trust anyone which is a flaw, like to see a an open source

OTP-based, quorum-voting, decentralized Kerberos alternative, devils in details though, but then again who says you can trust 2/3 votes, with AI that becomes a realistic attack, think game of diplomacy or similar social engineering on mass scales attacks