cross realm kerberos authentication
play

Cross-Realm Kerberos Authentication A study into implementations and - PowerPoint PPT Presentation

Apr 05, 2023 •355 likes •558 views

Introduction Background Approach and Results Conclusion Cross-Realm Kerberos Authentication A study into implementations and compatibility Esan Wit Mick Pouw Supervisor: Michiel Leenaars A System and Network Engineering RP University of

  1. Introduction Background Approach and Results Conclusion Cross-Realm Kerberos Authentication A study into implementations and compatibility Esan Wit Mick Pouw Supervisor: Michiel Leenaars A System and Network Engineering RP University of Amsterdam July 3, 2014 Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 1 / 19

  2. Introduction Background Approach and Results Conclusion Introduction • Around since ancient times (’80s) • Version 5 from 1993, revised in 2005 • Offers authentication in networks between clients and services • Single Sign On • “Yesteryear’s OAuth” • Many implementations exist • Active Directory • Heimdal • MIT Kerberos • Shishi Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 2 / 19

  3. Introduction Background Approach and Results Conclusion Previous research • Implementation of cross-realm referral handling in MIT Kerberos client • Research by Cervesato et al. illustrated the possibility to impersonate users by rogue KDCs • Much debate about cross-realm options • But very little in the way of implementations • Specifying Kerberos 5 cross-realm authentication Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 3 / 19

  4. Introduction Background Approach and Results Conclusion Goals The goal is to check the current status of Kerberos implementations and identifying possibilities for dynamic configuration to enable cross-realm authentication. E.g. using an @OS3.NL account to authenticate a user for their Facebook profile. • Analyse the interoperability between implementations • Research default behaviour for edge cases • Research options for Cross Realm trust configurations • Analyse cryptographic behaviour Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 4 / 19

  5. Introduction Background Approach and Results Conclusion Kerberos recap • Authentication provider relying on trusted third party • Based on shared secrets • Tickets are encrypted so only the intended recipient can decrypt it • Designed to provide authentication on untrusted networks • Password is not send over the network • Supports public key cryptography Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 5 / 19

  6. Introduction Background Approach and Results Conclusion Kerberos Illustrated Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 6 / 19

  7. Introduction Background Approach and Results Conclusion Kerberos Cross-Realm Illustrated Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 7 / 19

  8. Introduction Background Approach and Results Conclusion Testing basic functionality • Testing combinations of all implementations, focused on receiving a valid ticket • Clients authenticated using password • Services using keytab via GSS-API Requirements • Machines taking role of either client, service, or KDC. • Configured DNS • Patience Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 8 / 19

  9. Introduction Background Approach and Results Conclusion Testing basic functionality • Testing combinations of all implementations, focused on receiving a valid ticket • Clients authenticated using password • Services using keytab via GSS-API Requirements • Machines taking role of either client, service, or KDC. • Configured DNS • Patience • A lot of it Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 8 / 19

  10. Introduction Background Approach and Results Conclusion Testing basic functionality KDC Client Active Directory Heimdal MIT Shishi ✗ 1 ✗ 1 ✗ 1 Active Directory ✓ Heimdal ✓ ✓ ✓ ✓ MIT ✓ ✓ ✓ ✓ Shishi ✓ ✓ ✓ ✓ Service Active Directory Heimdal MIT Shishi ✗ 1 ✗ 1 ✗ 1 Active Directory ✓ Heimdal ✓ ✓ ✓ ✓ MIT ✓ ✓ ✓ ✓ ✗ 2 ✗ 2 ✗ 2 ✗ 2 Shishi Table: Compatibility between implementations 1 No service available for testing 2 Shishi GSSAPI not implemented yet, but service ticket can be requested Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 9 / 19

  11. Introduction Background Approach and Results Conclusion Crypto compatibility Active Directory Heimdal MIT Shishi AES128/256-SHA1 ✓ ✓ ✓ ✓ CAMELLIA128/256- CTS-CMAC ✓ DES3-CBC-SHA1 ✓ ✓ ✓ DES-CBC-CRC 3 ✓ ✓ ✓ DES-CBC-MD5 3 ✓ ✓ ✓ DES-CBC-MD4 3 ✓ ✓ RC4-HMAC-EXP 3 ✓ ✓ RC4-HMAC ✓ ✓ ✓ ✓ Table: Ciphers implemented 3 Considered weak[2] Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 10 / 19

  12. Introduction Background Approach and Results Conclusion Testing PKINIT compliance • Use of public key cryptography for authentication and encryption • Chain of trust maintained as standard X.509 certificates • Any certificate authority • Extended Key Usage (EKU) • X.509 Subject Alternative Name (SAN) extension • Or if you’re Microsoft: • dNSName containing a SAN of the hostname of the KDC Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 11 / 19

  13. Introduction Background Approach and Results Conclusion PKINIT Results • Shishi no support. • Windows has it’s own format • MIT EKU tested/confirmed • Heimdal support for both formats, EKU tested/confirmed • Connecting to MIT KDC weak encryption, DH parameters Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 12 / 19

  14. Introduction Background Approach and Results Conclusion DNS Kerberos uses DNS to find the KDC servers of a realm. This is accomplished by using SRV records and will make the realm configuration in the configuration kerberos. tcp.ad.os3.nl. IN SRV 01 00 88 ad.os3.nl. • kerberos. udp.ad.os3.nl. IN SRV 01 00 88 ad.os3.nl. • • Behaviour was analysed under several configurations • MIT Kerberos 5, Heimdal and Shishi clients all use DNS if realm is unknown 4 4 provided a user specifies a realm when attempting to perform initial authentication Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 13 / 19

  15. Introduction Background Approach and Results Conclusion Cross-Realm setup • All manually configured, no automatic options available • Requires shared secret between KDCs • All cross-realm trusts are one-way • Add a principal in the right direction • Two-way trust is possible • Add principals for both directions Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 14 / 19

  16. Introduction Background Approach and Results Conclusion Cross-Realm requirements Active Directory Heimdal MIT Shishi ✗ 5 Active Directory ✓ ✓ ✓ ✗ 5 Heimdal ✓ ✓ ✓ ✗ 5 MIT ✓ ✓ ✓ ✗ 5 ✗ 5 ✗ 5 ✗ 5 Shishi Table: Cross compatibility 5 Shishi does not support cross realm configuration Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 15 / 19

  17. Introduction Background Approach and Results Conclusion Conclusion • The implementations adhere to the protocol • Most conflicts occur from other variables • Much remains to be done to enable auto-configuration • Public key cryptography for communication between KDCs • Heimdal and MIT Kerberos 5 are most compatible Note: Many documents are outdated when it concerns Kerberos Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 16 / 19

  18. Introduction Background Approach and Results Conclusion Future Work • Finish Shishi • Better debugging options in the implementations • Improve interoperability between implementations • Dynamic configurable trust • Foreign trust policies • Asynchronous Cryptography for Cross-Realm trust • PKCROSS started as draft but remains unfinished • As of this week some activity again on the mailing list Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 17 / 19

  19. Introduction Background Approach and Results Conclusion Questions? Takeaways in Kerberos • Check your time • KERBEROS LOVES CAPS (and so do config files) • When in doubt, DNS! Special thanks to Michiel Leenaars and Rick van Rein for their input and feedback during this project. Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 18 / 19

  20. Introduction Background Approach and Results Conclusion I. Cervesato et al. “Specifying Kerberos 5 Cross-realm Authentication”. In: Proceedings of the 2005 Workshop on Issues in the Theory of Security . WITS ’05. Long Beach, California, 2005, pp. 12–26. isbn : 1-58113-980-2. L. Hornquist Astrand and T. Yu. Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos . RFC 6649 (Best Current Practice). Internet Engineering Task Force, July 2012. Esan Wit, Mick Pouw Cross-Realm Kerberos Authentication July 3, 2014 19 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov Supported by ONR, NSF, NRL Overview Introduction Kerberos 5 Formalization Properties

454 views • 24 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Problem statements on cross-realm authentication Shoichi Sakane Shouichi.Sakane@jp.yokogawa.com

Problem statements on cross-realm authentication Shoichi Sakane Shouichi.Sakane@jp.yokogawa.com

Problem statements on cross-realm authentication Shoichi Sakane Shouichi.Sakane@jp.yokogawa.com The 66 th IETF meeting 07/06/06 Yokogawa Electric Corporation 1 Purpose of this presentation Not presentation of our extension.

253 views • 12 slides
A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained Delegation (S4U2Proxy). Isaac Boukris SambaXP 2019 Agenda Why S4U2Self is important for Samba. How does it work in local and cross realm.

84 views • 6 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides
OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After

Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After

Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After learning all the foundation of modern cryptography, we are ready to see some real world applications based on them. What happened when you

592 views • 33 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

751 views • 30 slides
AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

334 views • 22 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context

Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context

Kerberos Credential Thievery (GNU/Linux) Ronan Loftus, Arne Zismer July 3, 2017 Context Kerberos I Authentication protocol Reduce amount of sensitive credentials sent over the network Commonly used in Linux networks (e.g. Hadoop)

604 views • 35 slides
Outline CPSC 418/MATH 318 Introduction to Cryptography Recap: Authentication 1 Cryptography in

Outline CPSC 418/MATH 318 Introduction to Cryptography Recap: Authentication 1 Cryptography in

Outline CPSC 418/MATH 318 Introduction to Cryptography Recap: Authentication 1 Cryptography in Practice: Entity Authentication, SSH Entity Authentication 2 Kerberos 5 Renate Scheidler Station-to-Station protocol Department of Mathematics

297 views • 8 slides
Fifth & Kirkham Traffic Calming Project 5 th Avenue and Kirkham Street Presented at the UCSF

Fifth & Kirkham Traffic Calming Project 5 th Avenue and Kirkham Street Presented at the UCSF

Fifth & Kirkham Traffic Calming Project 5 th Avenue and Kirkham Street Presented at the UCSF Quarterly Parnassus Community Meeting August 24, 2016 1 Agenda Welcome and introductions 5 minutes Project history, goals, and schedule 5

286 views • 16 slides
Archdiocese of Kansas City S ummer Camp 2019 Kansas WC Overview Benefits are paid at the

Archdiocese of Kansas City S ummer Camp 2019 Kansas WC Overview Benefits are paid at the

Archdiocese of Kansas City S ummer Camp 2019 Kansas WC Overview Benefits are paid at the employers expense Coverage begins on first day on the j ob Benefits include medical expenses and income benefits An employee

272 views • 24 slides
EAP Speaking LEAP Unit 3a: Free Time A A A Jason Renshaw | www.EnglishRaven.com Jason Renshaw

EAP Speaking LEAP Unit 3a: Free Time A A A Jason Renshaw | www.EnglishRaven.com Jason Renshaw

EAP Speaking LEAP Unit 3a: Free Time A A A Jason Renshaw | www.EnglishRaven.com Jason Renshaw | www.EnglishRaven.com EAP Speaking LEAP Unit 3a: Free Time A A A Read and listen. Sara: Hi Ken. What are you doing after school today? Ken:

214 views • 6 slides
Otter Tail County Drainage Authority County Drainage (Ditch) System 5 County Drainage (Ditch)

Otter Tail County Drainage Authority County Drainage (Ditch) System 5 County Drainage (Ditch)

Otter Tail County Drainage Authority County Drainage (Ditch) System 5 County Drainage (Ditch) System 36 County Drainage (Ditch) System 68 Redetermination of Benefits and Consolidation Public Hearing Minutes Henning Community Center 607 2 nd

172 views • 14 slides
Kerberos and Health Checks and Bare Metal, Oh My! Updates to OpenStack Sahara in Newton Updates

Kerberos and Health Checks and Bare Metal, Oh My! Updates to OpenStack Sahara in Newton Updates

Kerberos and Health Checks and Bare Metal, Oh My! Updates to OpenStack Sahara in Newton Updates to OpenStack Sahara in Newton Vitaly Gridnev, Sahara PTL (Mirantis) Elise Gafford, Sahara Core (Red Hat) Nikita Konovalov, Sahara Core (Mirantis)

632 views • 39 slides
/-J Los Alamos NATIONA L LABOR ATOR Y ---- EH.1941 ---- Los Alamos National Laboratory, an

/-J Los Alamos NATIONA L LABOR ATOR Y ---- EH.1941 ---- Los Alamos National Laboratory, an

0 s\ \ '6 LA-UR- 0 <=\ - Approved for public release; distribution is unlimited. Title: Kerberized Network File System for Clusters Author(s): Ian Burns Christoph er Hoffman Paige Ashlynn Intended for: Electronic/World-wide Web Academi c

459 views • 17 slides
Credential Mapping in Grids Esteban Talavera Gonzlez Center for Parallel Computers (PDC) Royal

Credential Mapping in Grids Esteban Talavera Gonzlez Center for Parallel Computers (PDC) Royal

Overview Background Our solution Conclusions Credential Mapping in Grids Esteban Talavera Gonzlez Center for Parallel Computers (PDC) Royal Institute of Technology (KTH) Stockholm March 16, 2007 Esteban Talavera Gonzlez Credential

569 views • 44 slides
The Handle Turns Itself... Adventures In Account Management Toby Blake Craig Strachan School of

The Handle Turns Itself... Adventures In Account Management Toby Blake Craig Strachan School of

The Handle Turns Itself... Adventures In Account Management Toby Blake Craig Strachan School of Informatics University of Edinburgh The Good Old Days UID text file or similar /etc/passwd Username Make it up or ask the user Today LDAP

345 views • 18 slides

More recommend