James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT...
-
Upload
ralph-marshall -
Category
Documents
-
view
214 -
download
0
Transcript of James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT...
![Page 1: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/1.jpg)
James Johnson
![Page 2: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/2.jpg)
What is it?
A system of authenticating securely over open networks
Developed by MIT in 1983 Based on Needham-Schroeder
Extended to fix vulnerabilities in Needham-Schroeder
Currently widely used in industryActiveDirectory
![Page 3: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/3.jpg)
Why do I care?
Managing users across a huge network of computers is a painIndividual users configured on each
computer? LOL
Much easier to have a single authentication source
Kerberos provides this single source of authentication
![Page 4: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/4.jpg)
How Does It Work?
Clients authenticated using username and password
Single sign on User authenticates username-password
once per session From then on, permissions granted
using cryptographic “tickets”
![Page 5: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/5.jpg)
Cast of Characters
Principal (you) Ticket Granting Service (TGS) Key Distribution Center (KDC)
TGS and KDC separate entities on same host
Service Server (SS)
![Page 6: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/6.jpg)
Kerberos Authentication
![Page 7: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/7.jpg)
Messages (User Auth)
User -> Client: User, PassKeyuser = Hash(Password)
Client -> AS: User ID AS->Client
Session key: {Sess}Keyuser
TGT: {Client ID, Client addr, validity period, Sess}Keyserver
![Page 8: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/8.jpg)
Messages (Service Auth)
Client -> TGS{Client ID, Client addr, validity period,
Sess}Keyserver , RequestedServiceID
Authenticator: {Client ID, Timestamp}Sess
TGS -> ClientClient-Server Ticket: {ClientID,Client addr,
validitiy period, SessionClient-Server}Keyservice
{SessionClient-Server}Sess
![Page 9: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/9.jpg)
Messages (Service Request) Client->Service
Client-Server TicketAuthenticator: {Client ID,TimestampA}
SessionClient-Server
Service->Client{TimestampA+1} SessionClient-Server
![Page 10: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/10.jpg)
Domains/Realms
Kerberos designed to work across organizational boundaries
Each TGS constitutes a realm Organizations can share “inter-realm
keys” Local AS issues TGT for remote TGS
Encrypted with inter-realm key“Referral Ticket”
![Page 11: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/11.jpg)
Transitive Domain Referral
![Page 12: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/12.jpg)
Hierarchical Domains/Realms Each realm shares a key with parent Different key for each child If no shared key between two realms,
authentication path can be constructed
![Page 13: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/13.jpg)
Typical Implementations
MIT Heimdal
Adds some functionality
Java Microsoft Active Directory
Kerberos + LDAP + RPCDoes not use MIT software
![Page 14: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/14.jpg)
Security/Implementation Concerns Synchronize clocks
NTP server
DO NOT USE KERBEROS 4 Single point of failure
Harden servers
Consider redundancy of KDCsOne primary master, many secondary
slavesNo automatic failover
![Page 15: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/15.jpg)
Kerberos + OpenLDAP
Kerberos can use LDAP backend instead of DB file
Eases DB replication and user management
Easy to do – Ubuntu packages, howtos
![Page 16: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/16.jpg)
Cross-Platform Integration UNIX-only Kerberos networks are fairly
straightforwardAll use MIT software
Windows screws everything up Tools for integrating Linux/BSD into AD
SAMBALikewise OpenAspirin
SAMBA cannot act as a AD domain controller
![Page 17: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/17.jpg)
Conclusions
Kerberos greatly eases user management in Enterprise
Allows for fine-grained control Inter-platform operation can be taxing
![Page 18: James Johnson. What is it? A system of authenticating securely over open networks Developed by MIT in 1983 Based on Needham-Schroeder Extended to.](https://reader036.fdocuments.us/reader036/viewer/2022082816/56649cef5503460f949bd8e4/html5/thumbnails/18.jpg)
Resources
http://technet.microsoft.com/en-us/library/bb742516.aspx
http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html#overview
http://tools.ietf.org/html/rfc4120 http://www.kerberos.org/events/
2010conf/2010slides/2010kerberos_panel2.pdf