a talk about ms sfu kerberos extensions protocol
play

A Talk about MS-SFU Kerberos Extensions: Protocol Transition - PowerPoint PPT Presentation

Nov 13, 2022 •24 likes •84 views

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained Delegation (S4U2Proxy). Isaac Boukris SambaXP 2019 Agenda Why S4U2Self is important for Samba. How does it work in local and cross realm.

  1. A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained Delegation (S4U2Proxy). Isaac Boukris SambaXP 2019

  2. Agenda ● Why S4U2Self is important for Samba. ● How does it work in local and cross realm. ● Recent CVEs related to S4U2Self. ● A couple of words on S4U2Proxy and RBCD.

  3. What is S4U2Self and why you should care ● Any server providing resources needs to have a mean to authenticate the user and to get a the list of groups the user is member of for authorization. ● Usually user’s password is required to get user’s token (Kerberos or NTLM). ● Any other authentication schemes (TLS, OTP, name it) can’t get us a token. ● LDAP is the problem - not the solution. ● The consensus on Samba ML is that the best solution is S4U2Self. Supports enterprise-names and and X509 certificates. ○ We can and should implement S4U2Self within winbind! ○

  4. How does it work ● PA-FOR-USER. ● PA-S4U-X509-USER - only implemented in MIT. ● Cross Realm S4U2Self - only implemented in MIT. ● TODOs: ○ Porting S4U code from MIT to Heimdal. ○ Add test coverage to Samba MIT build.

  5. MS-SFU 2.2.1 PA-FOR-USER: The PA-FOR-USER padata value is protected with the help of a *keyed* checksum, as defined below...

  6. CVEs related to S4U2Self ● Samba CVE-2018-16853: A user in a Samba AD domain can crash the MIT KDC by requesting an S4U2Self ticket. https://github.com/samba-team/samba/commit/6ab51b2af90f5dca11b8587b2a16215ab4497069 https://github.com/samba-team/samba/commit/6c453aeb0c771d14fe501e9a37d9f51b9403872b ● MIT Kerberos CVE-2018-20217: Reachable Assertion. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request. https://github.com/krb5/krb5/commit/94e5eda5bb94d1d44733a49c3d9b6d1e42c74def ● Samba CVE-2018-16860 / Microsoft CVE-2019-0734: S4U2Self with unkeyed checksums. https://github.com/samba-team/samba/commit/43958af1d50f0185e21e6cd74110c455ee8996af A python tool for intercepting and manipulating Kerberos packets, can be used to test KDC handling of unkeyed S4U2Self requests: https://github.com/iboukris/S4U/blob/master/kintercept/kintercept.py

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61 Kerberos Extensibility Document Status Notational Conventions Future Plans 1 Document Status Updates from -00 Update I-D boilerplate

407 views • 7 slides
A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides
AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides
Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding

Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding

Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding Principles Use Unicode restricted as needed to provide interoperability and future extensibility A single set of string preparation rules for all

173 views • 14 slides
Hybrid scheme Kerberos Protocol Public-key: nice solution for key distribution, but

Hybrid scheme Kerberos Protocol Public-key: nice solution for key distribution, but

Hybrid scheme Kerberos Protocol Public-key: nice solution for key distribution, but Motivation : In a multi-national company, its computational expensive distributed information services are usually maintained by various business units

461 views • 7 slides
Hybrid scheme Kerberos protocol Public-key: nice solution for key distribution, but

Hybrid scheme Kerberos protocol Public-key: nice solution for key distribution, but

Hybrid scheme Kerberos protocol Public-key: nice solution for key distribution, but Question in Homework 4 computational expensive Two Key Distribution Centers (KDC): AS, Secret-key: efficient, but one requirement. TGS. In

513 views • 22 slides
Extensibility in the Kerberos Protocol Sam Hartman Mekinok, Inc. IETF 52 Table of Contents

Extensibility in the Kerberos Protocol Sam Hartman Mekinok, Inc. IETF 52 Table of Contents

Extensibility in the Kerberos Protocol Sam Hartman Mekinok, Inc. IETF 52 Table of Contents Slide Title Slide# I. Why Extensibility? 4 Arguments for Extensibility 5 Protocol Requirements from Vendors 6 IETF Concerns About Vendor

234 views • 22 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman Steffan Roobol 04-07-2019 Introduction Figure 1: Kerberos Protocol 2 Problem Figure 1: the LSASS process and Mimikatz. 3 Research Questions

520 views • 27 slides
Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context

Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context

Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context Kerberos I Authentication protocol Reduce amount of sensitive credentials sent over the network Commonly used in Linux networks (e.g. Hadoop)

604 views • 35 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
Cheap Talk Games: Extensions Cheap Talk Games: Extensions F. Koessler / November 12, 2008 Cheap

Cheap Talk Games: Extensions Cheap Talk Games: Extensions F. Koessler / November 12, 2008 Cheap

Cheap Talk Games: Extensions F. Koessler / November 12, 2008 Cheap Talk Games: Extensions Cheap Talk Games: Extensions F. Koessler / November 12, 2008 Cheap Talk Games: Extensions Outline (November 12, 2008) The Art of Conversation:

1.05k views • 93 slides
SOAP and Its Extensions Matt Van Gundy CS 595G 2006.02.07 What is SOAP? Formerly Simple

SOAP and Its Extensions Matt Van Gundy CS 595G 2006.02.07 What is SOAP? Formerly Simple

SOAP and Its Extensions Matt Van Gundy CS 595G 2006.02.07 What is SOAP? Formerly Simple Object Access Protocol Abstract Stateless Messaging Protocol Another XML-based Meta-Standard SOAP Processing Model SOAP Message Construct

397 views • 16 slides
Easing access to Grids using identity federations Daniel Kouil T erena NREN & Grid

Easing access to Grids using identity federations Daniel Kouil T erena NREN & Grid

Easing access to Grids using identity federations Daniel Kouil T erena NREN & Grid Workshop 2008, Dublin PKI & Grids what we learnt The Grid authentication mechanism A lot of achievements Promising principles ...

154 views • 11 slides
Lecture 9 - Authentication CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 9 - Authentication CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 9 - Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

224 views • 20 slides
Latin square determinants and permanents Ken Johnson Penn State Abington College (Joint work

Latin square determinants and permanents Ken Johnson Penn State Abington College (Joint work

Latin square determinants and permanents Ken Johnson Penn State Abington College (Joint work with D. Donovan and I. Wanless) Outline 1)The basic idea 2) Motivation 3) Summary of the group case 4) Results on latin square

763 views • 15 slides
Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

334 views • 22 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides
gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, 17.4.2012 Overview Basics

gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, 17.4.2012 Overview Basics

gPlazma2: Plugins and Configuration Karsten Schwank Zeuthen, 17.4.2012 Overview Basics Plugins Migrating from v1 to v2 Introducing Argus Introducing Kerberos Examples The WLCG Case Using Kerberos and NIS

748 views • 58 slides
Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity

Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity

Identity Management Scaling Out and Up Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat jpazdziora@redhat.com 15 th October 2014 Identity Users; user groups. Hosts; host groups; services. Identities

700 views • 18 slides
Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of

Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption

490 views • 33 slides

More recommend