kerberos for distributed systems security
play

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, - PowerPoint PPT Presentation

Jun 02, 2023 •447 likes •751 views

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

  1. Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1

  2. Agenda • Distributed system security • Introduction to Kerberos V4 • Kerberos Realms • Authentication with Kerberos in Windows NT 5 and Windows 2000 • Kerberos in Unix-like operating systems C. Ding COMP4631 L16 2

  3. Distributed Systems Security C. Ding COMP4631 L16 3

  4. Distributed Systems • A distributed system: a collection of computers linked via some network. • Characteristic: The components of the distributed system may be under the authority of different organizations, and may be governed by different security policies. • Example: The Internet C. Ding COMP4631 L16 4

  5. Security Issues in Distributed Systems (1) • Impersonation of user: – A user may gain access to a particular workstation and pretend to be another user operating from that workstation. • Impersonation of workstation: – A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation. C. Ding COMP4631 L16 5

  6. Security Issues in Distributed Systems (2) • Replay attacks: – A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations. • Conclusion: – In any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access. C. Ding COMP4631 L16 6

  7. Security Services in Distributed Systems • Authentication ********************** • Guarding the boundaries of internal networks – Firewalls • Access control to distributed objects – Access control techniques • Availability – Counter DoS techniques C. Ding COMP4631 L16 7

  8. Security Policies • Fact: In a distributed system, users are not necessarily registered at the node they are accessing an object. • Question: How to authenticate a user? • Question: What is the basic for access control decisions? C. Ding COMP4631 L16 8

  9. Basis for Authentication and Access Control • The user identity and password; • the network address the user operates from; – e.g., any machine in UST can access Elsevier database; • the distributed service the user is invoking, i.e., the access operation. – Anyone can read but cannot modify documents posted on my personal web page. C. Ding COMP4631 L16 9

  10. Examples: Unix System • ftp : transfer files between Unix systems. • telnet , rlogin : remote access – use user identity and password for authentication; – use the normal Unix access control. • New problem : How can my password travel through the network securely? C. Ding COMP4631 L16 10

  11. Security Enforcement • Once you have sorted out security policies, you have to decide where to enforce them! – Where in the system do you authenticate a user? – Where in the system do you make an access control decision? Authentication : Kerberos (v4 and V5) C. Ding COMP4631 L16 11

  12. Kerberos Version 4 C. Ding COMP4631 L16 12

  13. Kerberos Version 4 • Centralized network authentication service • Developed in the Project Athena in MIT C. Ding COMP4631 L16 13

  14. Environment Addressed • An open distributed environment in which – Users at workstations wish to access services on servers distributed throughout the network. – Servers can: • restrict access to authorized users and • authenticate requests for service. – Workstations cannot be trusted to identify its users correctly to network services. C. Ding COMP4631 L16 14

  15. Requirements for Kerberos Secure: Opponent cannot impersonate a • user and the Kerberos service should not be a weak link. Reliable: Highly reliable Kerberos service • to ensure availability of supported services of application servers. Transparent : Users are only required to • enter a password once and don’t know the authentication. Scalable: System can support large • numbers of clients and servers. C. Ding COMP4631 L16 15

  16. Kerberos 4 Overview • A basic third-party authentication scheme • Have an Authentication Server (AS) – users initially negotiate with AS to identify self – AS provides a non-corruptible authentication credential (ticket granting ticket TGT) • Have a Ticket Granting server (TGS) – users subsequently request access to other services from TGS on the basis of user’s TGT C. Ding COMP4631 L16 16

  17. 1. Each user shares a key with AS 2. TGS shares a key with AS 3. All servers are registered with TGS C. Ding COMP4631 L16 17

  18. Further Information • Only one symmetric cipher, i.e., DES, is used in Version 4. In version 5, AES is used. • Each client needs to share a secret key with the AS only. • ID, timestamp, network address are used for authentication. • Technical details of the protocol is omitted here (see Appendix). C. Ding COMP4631 L16 18

  19. Kerberos Realm • Kerberos realm: – The environment that one Kerberos server can manage the authentication process. • The environment of one realm: – The Kerberos server of one realm has all users ID & hashed password of all users in the realm. – The Kerberos server must share a secret key with each server. – All servers are registered with the Kerberos server . C. Ding COMP4631 L16 19

  20. Authentication with Kerberos in Windows NT and Windows 2000 C. Ding COMP4631 L16 20

  21. Authentication in Windows NT 5 and Windows 2000 • The main objective is to present the basic idea without technical details. • Those who wish to have details should read Kerberos 5 and details of Windows NT 5 and Windows 2000. C. Ding COMP4631 L16 21

  22. The Basic Idea • Use a KDC to run the AS and TGS in Kerberos. • The KDC is located in the Domain Controller. • Use the TGT and service ticket as access tokens. C. Ding COMP4631 L16 22

  23. Initial Kerberos Ticket Ticket Granting Ticket (TGT) • First ticket is a Ticket Granting Ticket – Used by client to get tickets to other services – Contains authorization data based on group membership and privileges • Ticket is encrypted in user’s key known by the KDC – Requires knowledge of password to use • Tickets are stored in a ticket cache managed by LSA (Local Security Authority). C. Ding COMP4631 L16 23

  24. AS TGS C. Ding COMP4631 L16 24

  25. Comments on Kerberos Authentication • Single Sign-On (SSO) – Simple administration – Good administrative control – Good user productivity – Good network security C. Ding COMP4631 L16 25

  26. Kerberos in Unix-like Operating Systems • FreeBSD, Apple's Mac OS X, Red Hat Enterprise Linux, Oracle's Solaris, IBM's AIX and Z/OS, HP's HP-UX and OpenVMS • It is used for Kerberos authentication of users or services . C. Ding COMP4631 L16 26

  27. Two Ideas in Kerberos • Protocol 1 – A à E_k(ID_A||ID_B||timestamp) à B – What security services are provided by this protocol? • Protocol 2 – A à E_k(ID_A||ID_B||ID_V||Period of validity) à B – V is the email server – K is a secret key shared by A and V – It is a ticket for B issued by A. B can use it for email services many times. C. Ding COMP4631 L16 27

  28. Appendix: Details of Kerberos V4 C. Ding COMP4631 L16 28

  29. Version 4 Authentication Dialogue (3) C. Ding COMP4631 L16 29

  30. Index • k c the secret key • k tgs the secret key shared between C and shared between the the AS. TGS and the AS. • k c, tgs the session key • TS, timestamp for C and TGS, • ID c , C’s ID generated by the AS. • AD c , C’s network • k c,v the session key for address. C and V, generated by the TGS. C. Ding COMP4631 L16 30

Recommend

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

5/20/2018 Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure sessions processes cannot

129 views • 9 slides
Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

5/27/2017 Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure Sessions processes cannot

253 views • 9 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading assignment: Chapters 13-14 G. Noubir, Network Security Kerberos Outline Kerberos V4 Kerberos V5 G. Noubir, Network Security Kerberos 2 What is

1.16k views • 9 slides
AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
Kerberos & X.509 11

Kerberos & X.509 11

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman Steffan Roobol 04-07-2019 Introduction Figure 1: Kerberos Protocol 2 Problem Figure 1: the LSASS process and Mimikatz. 3 Research Questions

520 views • 27 slides
Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key exchange Computer Science Lecture 18, page 1 Network Security Intruder may eavesdrop remove, modify, and/or insert messages read and

361 views • 11 slides
The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt

The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt

The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt Introduction For secure distributed systems, ACLs are inadequate Password-based protocols are insecure in a networked environment Centralized

252 views • 12 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/17/2017 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

572 views • 7 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/19/2018 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

131 views • 9 slides
Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010 https://www.isecpartners.com Agenda Conclusion What is Hadoop Old School Hadoop Risks The New Approach to Security Concerns

300 views • 29 slides
Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

11/27/17 Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27, 2017 Sprenkle - CSCI325 1 Kerberos Trusted third party, runs by default on port 88 Security objects: Ticket: token, verifying

407 views • 30 slides
Research Interests Distributed algorithms Distributed shared memory systems Distributed

Research Interests Distributed algorithms Distributed shared memory systems Distributed

Privacy & Security in Machine Learning / Optimization Nitin Vaidya University of Illinois at Urbana-Champaign disc.ece.illinois.edu Research Interests Distributed algorithms Distributed shared memory systems Distributed

1.2k views • 70 slides
A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides
Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17,

Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17,

Distributed Systems Rik Sarkar James Cheney Security Protocols & Case Studies March 17, 2014 Recap & outline Security is hard Cryptography is not security No "security through obscurity" Today:

924 views • 39 slides
Distributed Systems 1 Roadmap CPU management Memory management Disk management

Distributed Systems 1 Roadmap CPU management Memory management Disk management

Distributed Systems 1 Roadmap CPU management Memory management Disk management Distributed System Protection & Security Virtual machine 2 Today Distributed systems overview Basic network concepts TCP/IP

316 views • 16 slides
The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed systems Walt Williams Who is this bloke? Author of Security for Service Oriented Architecture, CRC press 2014 Director of Information Security,

1.12k views • 55 slides
Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61 Kerberos Extensibility Document Status Notational Conventions Future Plans 1 Document Status Updates from -00 Update I-D boilerplate

407 views • 7 slides
Distributed Systems Reasons for distributed systems Resource sharing sharing and

Distributed Systems Reasons for distributed systems Resource sharing sharing and

CSC 4103 - Operating Systems Motivation Spring 2007 Distributed system is collection of loosely coupled processors that do not share memory Lecture - XXII interconnected by a communications network Distributed Systems

477 views • 4 slides
1 Multilevel Security Different security levels for resources Important systems A

1 Multilevel Security Different security levels for resources Important systems A

Last time Threats Introduction Threat analysis Policy Introduction to access Specification control matrix Design Implementation Operation and Maintenance 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 1 Security in the

444 views • 13 slides
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M.

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M.

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M. Backes 1 , I. Cervesato 2 , A. D. Jaggard 3 , A. Scedrov 4 , and J.-K. Tsay 4 1 Saarland University, 2 Carnegie Mellon University - Qatar, 3 Tulane

370 views • 18 slides

More recommend