ACCESS CONTROL MANAGEMENT

Poonam Gupta Sowmya Sugumaran

PROJECT GROUP # 3

Overview

• Goal of the project• Project Progress• Closer look at the TGTs• Few security issues in Kerberos• Brief intro to Kerberos commands• Few screen shots• Immediate tasks ahead

Goal of the Project

The goal of the project is to allow clients access the service servers in a secure and controlled manner using Kerberos

Project Progress

Installed Kerberos version5Assigned password for pre-authentication

Working on incorporating SRP protocol in pre-authentication

Closer look at the TGT

Version no:

Msg Type ID

Username Req. Ticket Instance

Kerberos Realm

Ts Req. Ticket Life-time

Req. Service

Req. ServiceInstance

1 byte 1 byte String String String 4 Bytes 1 byte String string

• TGT : Ticket-to-get-Ticket(between client and authentication server to get access to get access to Ticket Granting Server)

• There are 9 field in a TGT request

TGT Request Format

Contd..

• The server can’t authenticate the TGT packet• An intruder can construct a similar looking

packet• It can be indistinguishable from the legitimate

packet

Contd..

• Kerberos authenticates the client by sending back an encrypted packet

• The packet is encrypted using the key from the user’s password

• If the user enters the correct password upon logging in, the client can decrypt the packet to obtain the valid TGT

• Unauthorized users get random useless bits

TGT Return Packet FormatSession key Service

NameInstance Realm TGT

life-time

Verno:

Encry.TicketLength

Encry.Ticket Block

Ts

8 bytes String String String 1 byte

1 byte

1 byte Field 7 4 bytes

• Ticket length and Ticket block are encrypted using the key derived from the user’s password.

In Enemy Hands

• Prone to Dictionary Attack –Password cracker• Intruder sends a fake TGT request and saves

the encrypted TGT to a file• He then trial tests the password(P)

1. Convert P to DES key(K): K=string-to-key(P)2. Decrypt TGT with K and check if it is the valid

TGT3. If so, P is the user’s password

Timestamp in Pre-authentication

• Including Ts during pre-authentication C S

C SDrawback:• Prevents an attacker from requesting TGT; but

does not prevent an eavesdropper from capturing Ek{Ts} or Ek{TGT}

R, Ek{Ts}

Ek{TGT}

Solution: Stronger Cryptography

• A variant of public-key cryptography• Secure Remote Password(SRP)– Properties:

Resistant to dictionary attackSecure even if the password is of low entropyOnly one password can be guessed per attempt in SRP 6

• SRP can be incorporated into Krb v5 as a pre- authentication mechanism

Getting the Tickets

• kinit –forwards request for TGT to KDC• KDC encrypts TGT with pswrd and sends back• kinit has following options - l(lifetime) - f(forwardable tickets) -r(renewable life)

Listing the Tickets

• klist – lists the tickets of the authenticated user.

output of an unsuccessful authentication is: klist: No credentials cache file found (ticket cache /tmp/krb5cc_1234)

Contd..

• klist provides:– Information of all tickets– Expiration time of each ticket– Flags that apply to the ticket

Example:Ticket cache: /tmp/krb5cc_1234Valid starting Expires 29 Jul 98 11:25:47 30 Jul 98 12:25:42

Changing Kerberos Password

• Kpasswd is used for changing Kerberos passwords

– kpasswd: Changing password – Old password: your_old_password – kpasswd:your_new_password – New password (again): your_new_password– Kerberos password changed

Immediate Tasks Ahead

Clock Synchronization

Setting the Master key

Clock Synchronization

• All clocks within the organization must be synchronized

• Very important – Protects against replay attack• Possible solution:– Installing time server on one machine and having

all clients synchronize their clocks with this machine

Setting the Master Key

• Database master key – protects from accidental disclosure

• Derived from pass phrase and stored in stash file

• Don’t back up stash file while making backups of database in a tape– Master key:<enter pass phrase>

Verifying password – Master key:<enter pass phrase again>

References• http://en.wikipedia.org/wiki/Kerberos_(protocol)• http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/wu.pdf

Thank You!