Kerberos & X.509 11 - PDF document

Kerberos & �هدز�� X.509 ﻲﻨﺘﺒﻣ ﺮﺑ ﻞﺼﻓ 11 بﺎﺘﻛ زا Network Security, Principles and Practice,2nd Ed. ﺶﻳاﺮﻳوﻂﺳﻮﺗ هﺪﺷ : ﺪﻴﻤﺣ ﺎﺿر يرﺎﻳﺮﻬﺷ http://www.fata.ir http://mehr.sharif.edu/~shahriari �� ﻪﻧﺎﺴﻓاﻳﻧﺎﻧﻮﻲ � ﻪﻧﺎﺴﻓا ﺮﺳ ﻪﺳ ﮓﺳﻳﻧﺎﻧﻮﻲ : هزاورد نﺎﻈﻓﺎﺤﻣيﺎﻫﻢﻨﻬﺟ ! � دﺎﻤﻧ ﺎﻫﺮﺳ : Authentication � Authorization � Accounting � � ﻮﻫ زاﺮﺣا ﺎﻬﻨﺗ ﻞﻤﻋ رد ﻪﭼﺮﮔاﻳﺪﺷلﺎﻤﻋا ﺖ . �� ٢ ��

Motivation � يﺎﻬﻄﻴﺤﻣ ﺪﻳﺪﺟ : ترﻮﺻ ﻪﺑﻊﻳزﻮﺗ هﺪﺷ � ردﻚﻳﻂﻴﺤﻣ ﻊﻳزﻮﺗ شور ﻪﺳ هﺪﺷ ياﺮﺑ ﺖﻴﻨﻣا : � ﻪﺑ دﺎﻤﺘﻋاهﺎﮕﺘﺴﻳا يرﺎﻛ رد ﻲﻓﺮﻌﻣ لﺎﻤﻋا ودﻮﺧ ناﺮﺑرﺎﻛ ندﺮﻛ ﺖﺳﺎﻴﺳ ﻲﺘﻴﻨﻣا ﻲﻨﺘﺒﻣ ﺮﺑ ﻪﺳﺎﻨﺷ ناﺮﺑرﺎﻛ client � زﺎﻴﻧ زاﺮﺣا ﻪﺑ ﺖﻳﻮﻫ يﺎﻬﻤﺘﺴﻴﺳ ﻂﺳﻮﺗ راﺰﮔرﺎﻛ client ﻪﺑ ﺖﺒﺴﻧ ﺖﻳﻮﻫ ﻲﺳﺎﻨﺷ ناﺮﺑرﺎﻛ دﻮﺧ ﻲﻟو ﻪﺑ دﺎﻤﺘﻋا يﺎﻬﻤﺘﺴﻴﺳ � زﺎﻴﻧ زاﺮﺣا ﻪﺑ ﺖﻳﻮﻫ ﺮﻫ ﻚﻳﻪﺑﺖﺒﺴﻧ ناﺮﺑرﺎﻛ زا ﺲﻳوﺮﺳ ﻲﺘﺳاﻮﺧرد و ﺲﻜﻌﻟﺎﺑ �� ٣ �� سوﺮﺑﺮﻛ � ﻮﻫ زاﺮﺣاﻳرﺎﮕﻧ ﺰﻣر سﺎﺳا ﺮﺑ ﺖيﻠﻛﻴﺪﻲﻔﺨﻣ ) نرﺎﻘﺘﻣ ( MIT � ﺣاﺮﻃﻲردهﺪﺷ � ﺎﺟ ﻪﺑيﻮﻫزاﺮﺣا ﻳترﻮﺻ ﻪﺑ راﺰﮔرﺎﻛ ﺮﻫ رد ﺖزﻮﺗ ﻳ،هﺪﺷ ﻊﻳﻚ ﻮﻫ زاﺮﺣا ﻪﺑ ار صﺎﺧ راﺰﮔرﺎﻛﻳﻣصﺎﺼﺘﺧا ﺖﻴﻫﺪﻴﻢ � يﺎﻫ ﻪﺨﺴﻧ 4 و 5 ﺪﻨﺘﺴﻫ هدﺎﻔﺘﺳا لﺎﺣ رد نآ ٤ ��

ﺎﻬﻳﺪﻨﻣزﺎﻴﻧ / ﻲﻣﻮﻤﻋ يﺎﻬﻴﮔﮋﻳوسوﺮﺑﺮﻛ Common � ﻲﻣﻮﻤﻋندﻮﺑ ) ( � ردﻂﻴﺤﻣ ﻊﻳزﻮﺗ ﺎﺑ هاﺮﻤﻫ هﺪﺷ يﺎﻫروﺮﺳ وﺰﻛﺮﻤﺘﻣ ﺮﻴﻏﺰﻛﺮﻤﺘﻣ Security � ﻴﻨﻣا ﺖ ) ( � يﺎﻋدا ﻲﻠﺻا Reliability � ﻤﻃاﻴنﺎﻨ ) ( � نﺎﻨﻴﻤﻃا زا ﻲﺳﺮﺘﺳد يﺮﻳﺬﭘ راﺰﮔرﺎﻛ ﺖﻳﻮﻫ ﻲﺳﺎﻨﺷ ) سوﺮﺑﺮﻛ ( Transparency � ﻴﻓﺎﻔﺷ ﺖ ) ( � ﺎﺑ ناﺮﺑرﺎﻛﻳﺳﺪﻴﺪﻨﻧﺎﻤﻫ ار ﻢﺘﺴﻳﺳﻚﻴهدﺎﺳ ﻢﺘﺴ “ ﻪﺳﺎﻨﺷ ﻪﻤﻠﻛ ورﻮﺒﻋ ” ﺒﺑﻴﺪﻨﻨ . Scalability � ﻘﻣﻴسﺎﺬﭘﻳﺮي ) ( � ﺖﻴﻠﺑﺎﻗ رﺎﻛ داﺪﻌﺗ ﺎﺑ يدﺎﻳز ﻦﻴﺷﺎﻣ ﺮﺑرﺎﻛ وراﺰﮔرﺎﻛ �� ٥ �� ﻲﻣﻮﻤﻋ يﺎﻬﻴﮔﮋﻳوسوﺮﺑﺮﻛ � ﺪﻨﭼﻒﻳﺮﻌﺗ � ﻪﻨﻣاد : ﻚﻳهدوﺪﺤﻣ ﻲﺳﺮﺘﺳد ﺺﺨﺸﻣ ار ﻲﻣﺪﻨﻛ . ﻪﺑﻲﻋﻮﻧ ﻪﻨﻣاد لدﺎﻌﻣ يﺎﻫ ﻒﻳﺮﻌﺗ رد هﺪﺷزوﺪﻨﻳو ﻲﻣﺪﺷﺎﺑ . � ﺰﻛﺮﻣﻊﻳزﻮﺗ ﺪﻴﻠﻛ : سوﺮﺑﺮﻛ راﺰﮔرﺎﻛ لدﺎﻌﻣﻲﻣﺪﺷﺎﺑ . Principal � : ﻪﺑﺲﻳوﺮﺳ ﻪﻴﻠﻛ وناﺮﺑرﺎﻛ ،ﺎﻫ هﺎﮕﺘﺳد ،ﺎﻫ يﺮﺻﺎﻨﻋ ﻪﻛ جﺎﻴﺘﺣا ﻪﺑ ﻪﺘﻔﮔ ،ﺪﻧراد سوﺮﺑﺮﻛ راﺰﮔرﺎﻛ ﻪﺑ دﻮﺧ نﺪﻧﺎﺳﺎﻨﺷﻲﻣدﻮﺷ . ٦ ��

سو�� ياﺮﺑ ﻲﻓﺮﻌﻣ سوﺮﺑﺮﻛ زا مﺎﮔ ﻪﺑ مﺎﮔ ترﻮﺻ ﻪﺑ يﺎﻬﻠﻜﺗوﺮﭘ عوﺮﺷ هدﺎﺳﻲﻣﻢﻴﻨﻛ وﻲﻌﺳ ﻲﻣﻢﻴﻨﻛ ﺮﻫ تﻻﺎﻜﺷا ﻚﻳار فﺮﻃﺮﺑ ﻢﻴﻨﻛ ﻪﺑ ﺎﺗ سوﺮﺑﺮﻛ ﻢﻴﺳﺮﺑ . �� ٧ �� هدﺎﺳ گﻮﻟﺎﻳد زاﺮﺣاﺖﻳﻮﻫ -0 AS راﺰﮔرﺎﻛ ﺮﻫ وﻚﻳﺪﻴﻠﻛدراد دﻮﺟو كﺮﺘﺸﻣ . صﺮﻓ : ﻦﻴﺑ راﺰﮔرﺎﻛ زا ﺎﻣﺮﻓرﺎﻛ ﻂﺳﻮﺗ تﺎﻣﺪﺧ ﺖﺳاﻮﺧرد : Client � AS: ID client || Pass Client || ID Server 1. AS � Client: Ticket 2. Client � Server: ID client || Ticket 3. AS : Authentication Server ﻮﻫ زاﺮﺣا راﺰﮔرﺎﻛﻳﺖ K server : Shared key between AS and Server Ticket = E Kserver [ID client || Addr client || ID server ] ٨ ��

ﻂﻴﻠﺑ وﺮﻤﻠﻗ ﻪﺑ ﺮﺑرﺎﻛ دورو مﺎﮕﻨﻫ ﻪﻛ ﺖﺳا ﻲﻫاﻮﮔ ﻲﻋﻮﻧ ﻊﻗاو رد سوﺮﺑﺮﻛ ﻊﺑﺎﻨﻣ ﻪﺑ ﻲﺳﺮﺘﺳد ياﺮﺑ وا رﺎﺒﺘﻋا ﺮﮕﻧﺎﻴﺑ ﻪﻛ دﻮﺷ ﻲﻣ هداد وا ﻪﺑ ﺪﺷﺎﺑ ﻲﻣ ﻪﻜﺒﺷ . �� ٩ �� ﻲﺳرﺮﺑ گﻮﻟﺎﻳد � ﺎﻣﺮﻓرﺎﻛ سردآ اﺮﭼ (Client) ﻠﺑرد ﻴﻣﺮﻛذ ﻂﻴ؟دﻮﺸ � ردﺮﻴﻏ ﻦﻳا ﺮﻫ ترﻮﺻ ﻲﺼﺨﺷ ﻪﻛ ﻂﻴﻠﺑ زا ار ﻖﻳﺮﻃ دروآ ﺖﺳد ﻪﺑ دﻮﻨﺷ ﺰﻴﻧ ﺪﻧاﻮﺘﻴﻣ ﺪﻨﻛ هدﺎﻔﺘﺳا تﺎﻧﺎﻜﻣا زا . ردهﺪﺷ ﺮﻛذ سردآ ﻪﺑ تﺎﻣﺪﺧ ﺎﻬﻨﺗ نﻮﻨﻛا ﺎﻣاﻂﻴﻠﺑ ﻪﻳارا دﻮﺸﻴﻣ . � سردآ ﻞﻌﺟ ﻞﻜﺸﻣ ID client � ﺎﻣﺮﻓرﺎﻛ ﻪﺳﺎﻨﺷ اﺮﭼ لﺎﺳرا هﺪﺸﻧ ﺰﻣر ترﻮﺻ ﻪﺑ مﻮﺳ مﺎﮔ رد ﻣﻴ؟دﻮﺸ � اﺮﻳز ﻦﻳا ترﻮﺻ ﻪﺑ تﺎﻋﻼﻃا يرﺎﮕﻧﺰﻣر رد هﺪﺷ ﻂﻴﻠﺑدراد دﻮﺟو . � ﺎﺑ ﻪﺳﺎﻨﺷ ﺮﮔا ﻂﻴﻠﺑ تﺎﻣﺪﺧ ﺪﺷﺎﺑ ﻪﺘﺷاﺪﻧ ﺖﻘﺑﺎﻄﻣ ﻪﻳارا ﻲﻤﻧﺪﻧﻮﺷ . ١٠ ��

تﻼﻜﺸﻣ هدﺎﺳ گﻮﻟﺎﻳد زاﺮﺣاﺖﻳﻮﻫ -0 � ﻲﻨﻣاﺎﻧ � رﻮﺒﻋ ﻪﻤﻠﻛ لﺎﺳرا راﺬﮔﺰﻣر نوﺪﺑي ) ﺑﻪﻞﻜﺷ ﺢﺿاو ﻦﺘﻣ ( � راﺮﻜﺗ ﻪﻠﻤﺣ نﺎﻜﻣا � ﻲﻳآرﺎﻛﺎﻧ � موﺰﻟ يﺎﺿﺎﻘﺗ ﻂﻴﻠﺑ ﺪﻳﺪﺟ ياﺮﺑ ﺮﻫ ﺖﻣﺪﺧ �� ١١ �� ﻂﻴﻠﺑ زا دﺪﺠﻣ هدﺎﻔﺘﺳاﺎﻫ Tickets � اﺮﭼ ﻂﻴﻠﺑ زا دﺪﺠﻣ هدﺎﻔﺘﺳا ﺎﻫ ) ( ﻤﻫا ﻴ؟دراد ﺖ � ﮔﻮﻠﺟﻴﺮيﺎﺗزا ﻳردرﻮﺒﻋ ﻪﻤﻠﻛ دﺪﺠﻣ ﭗﻳﻧﺎﻣز هزﺎﺑ ﻚﻲهﺎﺗﻮﻛ � ﺖﻴﻓﺎﻔﺷ زاﺮﺣا ﺖﻳﻮﻫ � ﻪﺟﻮﺘﻣ ﺮﺑرﺎﻛ يﺎﻫﺪﻨﻳآﺮﻓ ﺖﻳﻮﻫ ﻲﺳﺎﻨﺷ ﻲﻤﻧدﻮﺷ . ١٢ ��

ﺶﻳاﺰﻓا ﻲﻨﻤﻳا - دﻳگﻮﻟﺎ 1 � زا هدﺎﻔﺘﺳاﻳﺪﺟراﺰﮔرﺎﻛ ﻚﻳﻠﺑهﺪﻨﻨﻛ ﺎﻄﻋا راﺰﮔرﺎﻛ مﺎﻧ ﺎﺑ ﺪﻴﻂ TGS: Ticket Granting Server � AS � راﺰﮔرﺎﻛ ﺖﻳﻮﻫ زاﺮﺣا، ،دراد دﻮﺟو نﺎﻛﺎﻤﻛ . ticket-granting ticket � ﻠﺑﻴﻂ “ ءﺎﻄﻋاﻠﺑﻴﻂ ” ردﺎﺻ نآ ﻂﺳﻮﺗ ﻲﻣدﻮﺷ . TGS ﻣردﺎﺻ ﻴﺪﻧﻮﺸ . � ﻠﺑ ﻪﭼﺮﮔا ﻴيﺎﻬﻄ ﻂﺳﻮﺗ تﺎﻣﺪﺧ ءﺎﻄﻋا service-granting ticket � ﻠﺑﻴﻂ “ ءﺎﻄﻋا تﺎﻣﺪﺧ ” AS � رﻮﺒﻋ ﻪﻤﻠﻛ لﺎﻘﺘﻧا زا بﺎﻨﺘﺟا ﭘندﺮﻛ ﺰﻣر ﺎﺑ ﻴراﺰﮔرﺎﻛ مﺎ ﺖﻳﻮﻫ زاﺮﺣا ) ( ﺎﻣﺮﻓرﺎﻛ ﻪﺑ ﻠﻛ ﻂﺳﻮﺗ ﻴرﻮﺒﻋ ﻪﻤﻠﻛ زا هﺪﺷ ﻖﺘﺸﻣ ﺪ �� ١٣ �� ﺶﻳاﺰﻓا ﻲﻨﻤﻳا - دﻳگﻮﻟﺎ 1 TGS Client 1. ID Client || ID TGS 3. ID Client || ID Server || Ticket TGS 2. E K Client [Ticket TGS ] 4. Ticket Server 5. ID Client || Ticket Server Log In AS ﻪﺴﻠﺟ ﻚﻤﻛ ﺎﺑ ﺎﻣﺮﻓرﺎﻛﺪﻴﻠﻛ AS ودﻮﺧ كﺮﺘﺸﻣ TGS ار ﻂﻴﻠﺑ ﻲﺑﺎﻳزﺎﺑ ﺪﻨﻜﻴﻣ . = Ticket E [ID || Addr || ID || Timestamp || Lifetime ] TGS K Client Client TGS 1 1 TGS = Ticket E [ID || Addr || ID || Timestamp || Lifetime ] Server K Client Client Server 2 2 Server ١٤ �� Server

Kerberos & X.509 11 - PDF document

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Kerberos Working Group UTF-8 Stringprep Profile UTF-8 Stringprep Profile Goals and Principles

Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context

JPL's Kerberos 5 Upgrade Henry B. Hotz Jet Propulsion Laboratory California Institute of

Site Report OpenAFS and Kerberos at the Max Planck Institute for Gravitational Physics October

Kerberos Created in MIT Athena project 1988. Has been in wide use in the USA. It has been

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained

Hybrid scheme Kerberos Protocol Public-key: nice solution for key distribution, but

Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos & X.509 11 - PDF document

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Kerberos Working Group UTF-8 Stringprep Profile UTF-8 Stringprep Profile Goals and Principles

Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context

JPL's Kerberos 5 Upgrade Henry B. Hotz Jet Propulsion Laboratory California Institute of

Site Report OpenAFS and Kerberos at the Max Planck Institute for Gravitational Physics October

Kerberos Created in MIT Athena project 1988. Has been in wide use in the USA. It has been

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) &amp; Constrained

Hybrid scheme Kerberos Protocol Public-key: nice solution for key distribution, but

Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained