cross realm kerberos authentication
play

Cross-Realm Kerberos Authentication A study into implementations and - PowerPoint PPT Presentation

Apr 05, 2023 •355 likes •558 views

Introduction Background Approach and Results Conclusion Cross-Realm Kerberos Authentication A study into implementations and compatibility Esan Wit Mick Pouw Supervisor: Michiel Leenaars A System and Network Engineering RP University of

  1. Introduction Background Approach and Results Conclusion Cross-Realm Kerberos Authentication A study into implementations and compatibility Esan Wit Mick Pouw Supervisor: Michiel Leenaars A System and Network Engineering RP University of Amsterdam July 3, 2014 Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 1 / 19

  2. Introduction Background Approach and Results Conclusion Introduction • Around since ancient times (’80s) • Version 5 from 1993, revised in 2005 • Offers authentication in networks between clients and services • Single Sign On • “Yesteryear’s OAuth” • Many implementations exist • Active Directory • Heimdal • MIT Kerberos • Shishi Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 2 / 19

  3. Introduction Background Approach and Results Conclusion Previous research • Implementation of cross-realm referral handling in MIT Kerberos client • Research by Cervesato et al. illustrated the possibility to impersonate users by rogue KDCs • Much debate about cross-realm options • But very little in the way of implementations • Specifying Kerberos 5 cross-realm authentication Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 3 / 19

  4. Introduction Background Approach and Results Conclusion Goals The goal is to check the current status of Kerberos implementations and identifying possibilities for dynamic configuration to enable cross-realm authentication. E.g. using an @OS3.NL account to authenticate a user for their Facebook profile. • Analyse the interoperability between implementations • Research default behaviour for edge cases • Research options for Cross Realm trust configurations • Analyse cryptographic behaviour Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 4 / 19

  5. Introduction Background Approach and Results Conclusion Kerberos recap • Authentication provider relying on trusted third party • Based on shared secrets • Tickets are encrypted so only the intended recipient can decrypt it • Designed to provide authentication on untrusted networks • Password is not send over the network • Supports public key cryptography Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 5 / 19

  6. Introduction Background Approach and Results Conclusion Kerberos Illustrated Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 6 / 19

  7. Introduction Background Approach and Results Conclusion Kerberos Cross-Realm Illustrated Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 7 / 19

  8. Introduction Background Approach and Results Conclusion Testing basic functionality • Testing combinations of all implementations, focused on receiving a valid ticket • Clients authenticated using password • Services using keytab via GSS-API Requirements • Machines taking role of either client, service, or KDC. • Configured DNS • Patience Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 8 / 19

  9. Introduction Background Approach and Results Conclusion Testing basic functionality • Testing combinations of all implementations, focused on receiving a valid ticket • Clients authenticated using password • Services using keytab via GSS-API Requirements • Machines taking role of either client, service, or KDC. • Configured DNS • Patience • A lot of it Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 8 / 19

  10. Introduction Background Approach and Results Conclusion Testing basic functionality KDC Client Active Directory Heimdal MIT Shishi ✗ 1 ✗ 1 ✗ 1 Active Directory ✓ Heimdal ✓ ✓ ✓ ✓ MIT ✓ ✓ ✓ ✓ Shishi ✓ ✓ ✓ ✓ Service Active Directory Heimdal MIT Shishi ✗ 1 ✗ 1 ✗ 1 Active Directory ✓ Heimdal ✓ ✓ ✓ ✓ MIT ✓ ✓ ✓ ✓ ✗ 2 ✗ 2 ✗ 2 ✗ 2 Shishi Table: Compatibility between implementations 1 No service available for testing 2 Shishi GSSAPI not implemented yet, but service ticket can be requested Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 9 / 19

  11. Introduction Background Approach and Results Conclusion Crypto compatibility Active Directory Heimdal MIT Shishi AES128/256-SHA1 ✓ ✓ ✓ ✓ CAMELLIA128/256- CTS-CMAC ✓ DES3-CBC-SHA1 ✓ ✓ ✓ DES-CBC-CRC 3 ✓ ✓ ✓ DES-CBC-MD5 3 ✓ ✓ ✓ DES-CBC-MD4 3 ✓ ✓ RC4-HMAC-EXP 3 ✓ ✓ RC4-HMAC ✓ ✓ ✓ ✓ Table: Ciphers implemented 3 Considered weak[2] Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 10 / 19

  12. Introduction Background Approach and Results Conclusion Testing PKINIT compliance • Use of public key cryptography for authentication and encryption • Chain of trust maintained as standard X.509 certificates • Any certificate authority • Extended Key Usage (EKU) • X.509 Subject Alternative Name (SAN) extension • Or if you’re Microsoft: • dNSName containing a SAN of the hostname of the KDC Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 11 / 19

  13. Introduction Background Approach and Results Conclusion PKINIT Results • Shishi no support. • Windows has it’s own format • MIT EKU tested/confirmed • Heimdal support for both formats, EKU tested/confirmed • Connecting to MIT KDC weak encryption, DH parameters Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 12 / 19

  14. Introduction Background Approach and Results Conclusion DNS Kerberos uses DNS to find the KDC servers of a realm. This is accomplished by using SRV records and will make the realm configuration in the configuration kerberos. tcp.ad.os3.nl. IN SRV 01 00 88 ad.os3.nl. • kerberos. udp.ad.os3.nl. IN SRV 01 00 88 ad.os3.nl. • • Behaviour was analysed under several configurations • MIT Kerberos 5, Heimdal and Shishi clients all use DNS if realm is unknown 4 4 provided a user specifies a realm when attempting to perform initial authentication Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 13 / 19

  15. Introduction Background Approach and Results Conclusion Cross-Realm setup • All manually configured, no automatic options available • Requires shared secret between KDCs • All cross-realm trusts are one-way • Add a principal in the right direction • Two-way trust is possible • Add principals for both directions Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 14 / 19

  16. Introduction Background Approach and Results Conclusion Cross-Realm requirements Active Directory Heimdal MIT Shishi ✗ 5 Active Directory ✓ ✓ ✓ ✗ 5 Heimdal ✓ ✓ ✓ ✗ 5 MIT ✓ ✓ ✓ ✗ 5 ✗ 5 ✗ 5 ✗ 5 Shishi Table: Cross compatibility 5 Shishi does not support cross realm configuration Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 15 / 19

  17. Introduction Background Approach and Results Conclusion Conclusion • The implementations adhere to the protocol • Most conflicts occur from other variables • Much remains to be done to enable auto-configuration • Public key cryptography for communication between KDCs • Heimdal and MIT Kerberos 5 are most compatible Note: Many documents are outdated when it concerns Kerberos Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 16 / 19

  18. Introduction Background Approach and Results Conclusion Future Work • Finish Shishi • Better debugging options in the implementations • Improve interoperability between implementations • Dynamic configurable trust • Foreign trust policies • Asynchronous Cryptography for Cross-Realm trust • PKCROSS started as draft but remains unfinished • As of this week some activity again on the mailing list Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 17 / 19

  19. Introduction Background Approach and Results Conclusion Questions? Takeaways in Kerberos • Check your time • KERBEROS LOVES CAPS (and so do config files) • When in doubt, DNS! Special thanks to Michiel Leenaars and Rick van Rein for their input and feedback during this project. Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 18 / 19

  20. Introduction Background Approach and Results Conclusion I. Cervesato et al. “Specifying Kerberos 5 Cross-realm Authentication”. In: Proceedings of the 2005 Workshop on Issues in the Theory of Security . WITS ’05. Long Beach, California, 2005, pp. 12–26. isbn : 1-58113-980-2. L. Hornquist Astrand and T. Yu. Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos . RFC 6649 (Best Current Practice). Internet Engineering Task Force, July 2012. Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 19 / 19

Recommend

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov Supported by ONR, NSF, NRL Overview Introduction Kerberos 5 Formalization Properties

454 views • 24 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Problem statements on cross-realm authentication Shoichi Sakane Shouichi.Sakane@jp.yokogawa.com

Problem statements on cross-realm authentication Shoichi Sakane Shouichi.Sakane@jp.yokogawa.com

Problem statements on cross-realm authentication Shoichi Sakane Shouichi.Sakane@jp.yokogawa.com The 66 th IETF meeting 07/06/06 Yokogawa Electric Corporation 1 Purpose of this presentation Not presentation of our extension.

253 views • 12 slides
A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained Delegation (S4U2Proxy). Isaac Boukris SambaXP 2019 Agenda Why S4U2Self is important for Samba. How does it work in local and cross realm.

84 views • 6 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides
OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After

Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After

Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After learning all the foundation of modern cryptography, we are ready to see some real world applications based on them. What happened when you

592 views • 33 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

751 views • 30 slides
AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

334 views • 22 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context

Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context

Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context Kerberos I Authentication protocol Reduce amount of sensitive credentials sent over the network Commonly used in Linux networks (e.g. Hadoop)

604 views • 35 slides
Outline CPSC 418/MATH 318 Introduction to Cryptography Recap: Authentication 1 Cryptography in

Outline CPSC 418/MATH 318 Introduction to Cryptography Recap: Authentication 1 Cryptography in

Outline CPSC 418/MATH 318 Introduction to Cryptography Recap: Authentication 1 Cryptography in Practice: Entity Authentication, SSH Entity Authentication 2 Kerberos 5 Renate Scheidler Station-to-Station protocol Department of Mathematics

297 views • 8 slides
e-authentication Practices: A road to global implementation of e-authentication for

e-authentication Practices: A road to global implementation of e-authentication for

Market-driven e-authentication Practices: A road to global implementation of e-authentication for cross-bordered trade document Mr. Wanawit Ahkuputra Deputy Executive Director of ETDA Thailand HOD and AFACT chair. Building Soft

533 views • 13 slides
REALM 101 MARCH 18, 2018 12:30, JEFFERSON HALL A MESSAGE FROM JULIA REALM RESOURCES This

REALM 101 MARCH 18, 2018 12:30, JEFFERSON HALL A MESSAGE FROM JULIA REALM RESOURCES This

REALM 101 MARCH 18, 2018 12:30, JEFFERSON HALL A MESSAGE FROM JULIA REALM RESOURCES This presentation and other resources can be found at: WWW .USSB.ORG/REALM YOU ARE INVITED! You must have an invitation to join Realm Only members

565 views • 53 slides
The Spooky Spiritual Realm What we need to know What is the spooky spiritual realm?

The Spooky Spiritual Realm What we need to know What is the spooky spiritual realm?

The Spooky Spiritual Realm What we need to know What is the spooky spiritual realm? Paranormal not scientifically explainable - In the spirit realm there are holy and unholy paranormal phenomena. - There is money to be made. -

620 views • 12 slides
@GregBala Greg.b@BDAEntertainment.com About us Realm of Empires - MMORTS Started Played on

@GregBala Greg.b@BDAEntertainment.com About us Realm of Empires - MMORTS Started Played on

Cross-platform apps, for mobile and desktop Porting Realm of Empires to mobile HTML5 Greg Balajewicz @GregBala Greg.b@BDAEntertainment.com About us Realm of Empires - MMORTS Started Played on Win8 mobile browser FireFoxOS? Amazons

566 views • 45 slides
Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor support for authentication in

917 views • 34 slides
Taming the Beast Assess Kerberos-Protected Networks Emmanuel Bouillon Introduction

Taming the Beast Assess Kerberos-Protected Networks Emmanuel Bouillon Introduction

Taming the Beast Assess Kerberos-Protected Networks Emmanuel Bouillon Introduction Sophisticated network authentication system holy grail of sys & net admins: secure single sign on Used by large organizations and academic

515 views • 38 slides
Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61 Kerberos Extensibility Document Status Notational Conventions Future Plans 1 Document Status Updates from -00 Update I-D boilerplate

407 views • 7 slides
CSCE 790 Secure Computer Systems PKI and Kerberos Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems PKI and Kerberos Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems PKI and Kerberos Professor Qiang Zeng Spring 2020 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know Sending the

302 views • 26 slides

More recommend