a talk about ms sfu kerberos extensions protocol
play

A Talk about MS-SFU Kerberos Extensions: Protocol Transition - PowerPoint PPT Presentation

Nov 13, 2022 •24 likes •84 views

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained Delegation (S4U2Proxy). Isaac Boukris SambaXP 2019 Agenda Why S4U2Self is important for Samba. How does it work in local and cross realm.

  1. A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained Delegation (S4U2Proxy). Isaac Boukris SambaXP 2019

  2. Agenda ● Why S4U2Self is important for Samba. ● How does it work in local and cross realm. ● Recent CVEs related to S4U2Self. ● A couple of words on S4U2Proxy and RBCD.

  3. What is S4U2Self and why you should care ● Any server providing resources needs to have a mean to authenticate the user and to get a the list of groups the user is member of for authorization. ● Usually user’s password is required to get user’s token (Kerberos or NTLM). ● Any other authentication schemes (TLS, OTP, name it) can’t get us a token. ● LDAP is the problem - not the solution. ● The consensus on Samba ML is that the best solution is S4U2Self. Supports enterprise-names and and X509 certificates. ○ We can and should implement S4U2Self within winbind! ○

  4. How does it work ● PA-FOR-USER. ● PA-S4U-X509-USER - only implemented in MIT. ● Cross Realm S4U2Self - only implemented in MIT. ● TODOs: ○ Porting S4U code from MIT to Heimdal. ○ Add test coverage to Samba MIT build.

  5. MS-SFU 2.2.1 PA-FOR-USER: The PA-FOR-USER padata value is protected with the help of a *keyed* checksum, as defined below...

  6. CVEs related to S4U2Self ● Samba CVE-2018-16853: A user in a Samba AD domain can crash the MIT KDC by requesting an S4U2Self ticket. https://github.com/samba-team/samba/commit/6ab51b2af90f5dca11b8587b2a16215ab4497069 https://github.com/samba-team/samba/commit/6c453aeb0c771d14fe501e9a37d9f51b9403872b ● MIT Kerberos CVE-2018-20217: Reachable Assertion. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request. https://github.com/krb5/krb5/commit/94e5eda5bb94d1d44733a49c3d9b6d1e42c74def ● Samba CVE-2018-16860 / Microsoft CVE-2019-0734: S4U2Self with unkeyed checksums. https://github.com/samba-team/samba/commit/43958af1d50f0185e21e6cd74110c455ee8996af A python tool for intercepting and manipulating Kerberos packets, can be used to test KDC handling of unkeyed S4U2Self requests: https://github.com/iboukris/S4U/blob/master/kintercept/kintercept.py

Recommend

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61 Kerberos Extensibility Document Status Notational Conventions Future Plans 1 Document Status Updates from -00 Update I-D boilerplate

407 views • 7 slides
A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides
AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides
Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding

Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding

Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding Principles Use Unicode restricted as needed to provide interoperability and future extensibility A single set of string preparation rules for all

173 views • 14 slides
Hybrid scheme Kerberos Protocol Public-key: nice solution for key distribution, but

Hybrid scheme Kerberos Protocol Public-key: nice solution for key distribution, but

Hybrid scheme Kerberos Protocol Public-key: nice solution for key distribution, but Motivation : In a multi-national company, its computational expensive distributed information services are usually maintained by various business units

461 views • 7 slides
Hybrid scheme Kerberos protocol Public-key: nice solution for key distribution, but

Hybrid scheme Kerberos protocol Public-key: nice solution for key distribution, but

Hybrid scheme Kerberos protocol Public-key: nice solution for key distribution, but Question in Homework 4 computational expensive Two Key Distribution Centers (KDC): AS, Secret-key: efficient, but one requirement. TGS. In

513 views • 22 slides
Extensibility in the Kerberos Protocol Sam Hartman Mekinok, Inc. IETF 52 Table of Contents

Extensibility in the Kerberos Protocol Sam Hartman Mekinok, Inc. IETF 52 Table of Contents

Extensibility in the Kerberos Protocol Sam Hartman Mekinok, Inc. IETF 52 Table of Contents Slide Title Slide# I. Why Extensibility? 4 Arguments for Extensibility 5 Protocol Requirements from Vendors 6 IETF Concerns About Vendor

234 views • 22 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman Steffan Roobol 04-07-2019 Introduction Figure 1: Kerberos Protocol 2 Problem Figure 1: the LSASS process and Mimikatz. 3 Research Questions

520 views • 27 slides
Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context

Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context

Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context Kerberos I Authentication protocol Reduce amount of sensitive credentials sent over the network Commonly used in Linux networks (e.g. Hadoop)

604 views • 35 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
Cheap Talk Games: Extensions Cheap Talk Games: Extensions F. Koessler / November 12, 2008 Cheap

Cheap Talk Games: Extensions Cheap Talk Games: Extensions F. Koessler / November 12, 2008 Cheap

Cheap Talk Games: Extensions F. Koessler / November 12, 2008 Cheap Talk Games: Extensions Cheap Talk Games: Extensions F. Koessler / November 12, 2008 Cheap Talk Games: Extensions Outline (November 12, 2008) The Art of Conversation:

1.05k views • 93 slides
SOAP and Its Extensions Matt Van Gundy CS 595G 2006.02.07 What is SOAP? Formerly Simple

SOAP and Its Extensions Matt Van Gundy CS 595G 2006.02.07 What is SOAP? Formerly Simple

SOAP and Its Extensions Matt Van Gundy CS 595G 2006.02.07 What is SOAP? Formerly Simple Object Access Protocol Abstract Stateless Messaging Protocol Another XML-based Meta-Standard SOAP Processing Model SOAP Message Construct

397 views • 16 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

751 views • 30 slides
Kerberos & X.509 11

Kerberos & X.509 11

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides
Concurrent Programming with Parallel Extensions to .NET Joe Duffy Architect & Development

Concurrent Programming with Parallel Extensions to .NET Joe Duffy Architect & Development

Concurrent Programming with Parallel Extensions to .NET Joe Duffy Architect & Development Lead Parallel Extensions Talk Outline Overview 5 things about Parallel Extensions 1. Tasks and futures 2. Parallel loops 3. Parallel LINQ

650 views • 36 slides
A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato,

A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato,

A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato, Aaron D. Jaggard, and Andre Scedrov Project Goals Give precise statement and formal analysis of a real world protocol Find a real world

474 views • 25 slides
Accuracy Enhancements of the 802.11 Model and EDCA QoS Extensions in ns-3 Completion Talk Timo

Accuracy Enhancements of the 802.11 Model and EDCA QoS Extensions in ns-3 Completion Talk Timo

Accuracy Enhancements of the 802.11 Model and EDCA QoS Extensions in ns-3 Completion Talk Timo Bingmann Decentralized Systems and Network Services Research Group Institute of Telematics, University of Karlsruhe June 26, 2009 Roadmap 1 Thesis

570 views • 39 slides
Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading assignment: Chapters 13-14 G. Noubir, Network Security Kerberos Outline Kerberos V4 Kerberos V5 G. Noubir, Network Security Kerberos 2 What is

1.16k views • 9 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides
Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

11/27/17 Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27, 2017 Sprenkle - CSCI325 1 Kerberos Trusted third party, runs by default on port 88 Security objects: Ticket: token, verifying

407 views • 30 slides

More recommend