kerberos for distributed systems security
play

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, - PowerPoint PPT Presentation

Jun 02, 2023 •447 likes •751 views

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

  1. Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1

  2. Agenda • Distributed system security • Introduction to Kerberos V4 • Kerberos Realms • Authentication with Kerberos in Windows NT 5 and Windows 2000 • Kerberos in Unix-like operating systems C. Ding COMP4631 L16 2

  3. Distributed Systems Security C. Ding COMP4631 L16 3

  4. Distributed Systems • A distributed system: a collection of computers linked via some network. • Characteristic: The components of the distributed system may be under the authority of different organizations, and may be governed by different security policies. • Example: The Internet C. Ding COMP4631 L16 4

  5. Security Issues in Distributed Systems (1) • Impersonation of user: – A user may gain access to a particular workstation and pretend to be another user operating from that workstation. • Impersonation of workstation: – A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation. C. Ding COMP4631 L16 5

  6. Security Issues in Distributed Systems (2) • Replay attacks: – A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations. • Conclusion: – In any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access. C. Ding COMP4631 L16 6

  7. Security Services in Distributed Systems • Authentication ********************** • Guarding the boundaries of internal networks – Firewalls • Access control to distributed objects – Access control techniques • Availability – Counter DoS techniques C. Ding COMP4631 L16 7

  8. Security Policies • Fact: In a distributed system, users are not necessarily registered at the node they are accessing an object. • Question: How to authenticate a user? • Question: What is the basic for access control decisions? C. Ding COMP4631 L16 8

  9. Basis for Authentication and Access Control • The user identity and password; • the network address the user operates from; – e.g., any machine in UST can access Elsevier database; • the distributed service the user is invoking, i.e., the access operation. – Anyone can read but cannot modify documents posted on my personal web page. C. Ding COMP4631 L16 9

  10. Examples: Unix System • ftp : transfer files between Unix systems. • telnet , rlogin : remote access – use user identity and password for authentication; – use the normal Unix access control. • New problem : How can my password travel through the network securely? C. Ding COMP4631 L16 10

  11. Security Enforcement • Once you have sorted out security policies, you have to decide where to enforce them! – Where in the system do you authenticate a user? – Where in the system do you make an access control decision? Authentication : Kerberos (v4 and V5) C. Ding COMP4631 L16 11

  12. Kerberos Version 4 C. Ding COMP4631 L16 12

  13. Kerberos Version 4 • Centralized network authentication service • Developed in the Project Athena in MIT C. Ding COMP4631 L16 13

  14. Environment Addressed • An open distributed environment in which – Users at workstations wish to access services on servers distributed throughout the network. – Servers can: • restrict access to authorized users and • authenticate requests for service. – Workstations cannot be trusted to identify its users correctly to network services. C. Ding COMP4631 L16 14

  15. Requirements for Kerberos Secure: Opponent cannot impersonate a • user and the Kerberos service should not be a weak link. Reliable: Highly reliable Kerberos service • to ensure availability of supported services of application servers. Transparent : Users are only required to • enter a password once and don’t know the authentication. Scalable: System can support large • numbers of clients and servers. C. Ding COMP4631 L16 15

  16. Kerberos 4 Overview • A basic third-party authentication scheme • Have an Authentication Server (AS) – users initially negotiate with AS to identify self – AS provides a non-corruptible authentication credential (ticket granting ticket TGT) • Have a Ticket Granting server (TGS) – users subsequently request access to other services from TGS on the basis of user’s TGT C. Ding COMP4631 L16 16

  17. 1. Each user shares a key with AS 2. TGS shares a key with AS 3. All servers are registered with TGS C. Ding COMP4631 L16 17

  18. Further Information • Only one symmetric cipher, i.e., DES, is used in Version 4. In version 5, AES is used. • Each client needs to share a secret key with the AS only. • ID, timestamp, network address are used for authentication. • Technical details of the protocol is omitted here (see Appendix). C. Ding COMP4631 L16 18

  19. Kerberos Realm • Kerberos realm: – The environment that one Kerberos server can manage the authentication process. • The environment of one realm: – The Kerberos server of one realm has all users ID & hashed password of all users in the realm. – The Kerberos server must share a secret key with each server. – All servers are registered with the Kerberos server . C. Ding COMP4631 L16 19

  20. Authentication with Kerberos in Windows NT and Windows 2000 C. Ding COMP4631 L16 20

  21. Authentication in Windows NT 5 and Windows 2000 • The main objective is to present the basic idea without technical details. • Those who wish to have details should read Kerberos 5 and details of Windows NT 5 and Windows 2000. C. Ding COMP4631 L16 21

  22. The Basic Idea • Use a KDC to run the AS and TGS in Kerberos. • The KDC is located in the Domain Controller. • Use the TGT and service ticket as access tokens. C. Ding COMP4631 L16 22

  23. Initial Kerberos Ticket Ticket Granting Ticket (TGT) • First ticket is a Ticket Granting Ticket – Used by client to get tickets to other services – Contains authorization data based on group membership and privileges • Ticket is encrypted in user’s key known by the KDC – Requires knowledge of password to use • Tickets are stored in a ticket cache managed by LSA (Local Security Authority). C. Ding COMP4631 L16 23

  24. AS TGS C. Ding COMP4631 L16 24

  25. Comments on Kerberos Authentication • Single Sign-On (SSO) – Simple administration – Good administrative control – Good user productivity – Good network security C. Ding COMP4631 L16 25

  26. Kerberos in Unix-like Operating Systems • FreeBSD, Apple's Mac OS X, Red Hat Enterprise Linux, Oracle's Solaris, IBM's AIX and Z/OS, HP's HP-UX and OpenVMS • It is used for Kerberos authentication of users or services . C. Ding COMP4631 L16 26

  27. Two Ideas in Kerberos • Protocol 1 – A à E_k(ID_A||ID_B||timestamp) à B – What security services are provided by this protocol? • Protocol 2 – A à E_k(ID_A||ID_B||ID_V||Period of validity) à B – V is the email server – K is a secret key shared by A and V – It is a ticket for B issued by A. B can use it for email services many times. C. Ding COMP4631 L16 27

  28. Appendix: Details of Kerberos V4 C. Ding COMP4631 L16 28

  29. Version 4 Authentication Dialogue (3) C. Ding COMP4631 L16 29

  30. Index • k c the secret key • k tgs the secret key shared between C and shared between the the AS. TGS and the AS. • k c, tgs the session key • TS, timestamp for C and TGS, • ID c , C’s ID generated by the AS. • AD c , C’s network • k c,v the session key for address. C and V, generated by the TGS. C. Ding COMP4631 L16 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

5/20/2018 Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure sessions processes cannot

129 views • 9 slides
Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

5/27/2017 Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure Sessions processes cannot

253 views • 9 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading assignment: Chapters 13-14 G. Noubir, Network Security Kerberos Outline Kerberos V4 Kerberos V5 G. Noubir, Network Security Kerberos 2 What is

1.16k views • 9 slides
AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
Kerberos & X.509 11

Kerberos & X.509 11

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman Steffan Roobol 04-07-2019 Introduction Figure 1: Kerberos Protocol 2 Problem Figure 1: the LSASS process and Mimikatz. 3 Research Questions

520 views • 27 slides
Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key exchange Computer Science Lecture 18, page 1 Network Security Intruder may eavesdrop remove, modify, and/or insert messages read and

361 views • 11 slides
The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt

The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt

The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt Introduction For secure distributed systems, ACLs are inadequate Password-based protocols are insecure in a networked environment Centralized

252 views • 12 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/17/2017 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

572 views • 7 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/19/2018 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

131 views • 9 slides
Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010 https://www.isecpartners.com Agenda Conclusion What is Hadoop Old School Hadoop Risks The New Approach to Security Concerns

300 views • 29 slides
Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

11/27/17 Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27, 2017 Sprenkle - CSCI325 1 Kerberos Trusted third party, runs by default on port 88 Security objects: Ticket: token, verifying

407 views • 30 slides
Research Interests Distributed algorithms Distributed shared memory systems Distributed

Research Interests Distributed algorithms Distributed shared memory systems Distributed

Privacy & Security in Machine Learning / Optimization Nitin Vaidya University of Illinois at Urbana-Champaign disc.ece.illinois.edu Research Interests Distributed algorithms Distributed shared memory systems Distributed

1.2k views • 70 slides
CVMFS for Data Federations Derek Weitzel University of Nebraska - Lincoln Problem with Data

CVMFS for Data Federations Derek Weitzel University of Nebraska - Lincoln Problem with Data

CVMFS for Data Federations Derek Weitzel University of Nebraska - Lincoln Problem with Data Federations Users must know the exact filenames for each job. They have to use special tools they are unfamiliar with in order to use it (such

408 views • 18 slides
Mobile User Authentication with On-Premise LDAP Server / Social Login using IBM Mobile

Mobile User Authentication with On-Premise LDAP Server / Social Login using IBM Mobile

Mobile User Authentication with On-Premise LDAP Server / Social Login using IBM Mobile Foundation My My W Ward wh what is t is th the a app a about Ser Servi vices ces used used IBM Mobile Foundation V8 {API} Mo

501 views • 21 slides
Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov Supported by ONR, NSF, NRL Overview Introduction Kerberos 5 Formalization Properties

454 views • 24 slides
Authentication and technology Secure Communication people Jeff Chase Duke University Where

Authentication and technology Secure Communication people Jeff Chase Duke University Where

Authentication and technology Secure Communication people Jeff Chase Duke University Where are the boundaries of the system that you would like to secure? Where is the weakest link? What happens when the weakest link fails? The First

574 views • 10 slides
S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property

S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property

S Q R L S ecure Q uick R eliable L ogin A simple, straightforward, open, intellectual property unencumbered, easily explained, provably secure, pseudonymous, 2-party, web domain based, authenticated identity solution, including complete identity

840 views • 38 slides
Getting web authentication right Joseph Bonneau jcb82@cl.cam.ac.uk Security Protocols Workshop

Getting web authentication right Joseph Bonneau jcb82@cl.cam.ac.uk Security Protocols Workshop

Getting web authentication right Joseph Bonneau jcb82@cl.cam.ac.uk Security Protocols Workshop March 28, 2011 J. Bonneau (U. of Cambridge) Getting web authentication right March 28, 2011 1 / 14 A parable of obsolescent technology Credit:

256 views • 22 slides
04832250 Computer Networks (Honor Track) A Data Communication and Device Networking

04832250 Computer Networks (Honor Track) A Data Communication and Device Networking

04832250 Computer Networks (Honor Track) A Data Communication and Device Networking Perspective A Data Communication and Device Networking Perspective Module 6: Network Security Prof. Chenren Xu Center for Energy-efficient

532 views • 49 slides
Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

IN3210 Network Security Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals: Authentication Integrity Confidentiality Transparent security protocol between TCP and application

1k views • 66 slides

More recommend