kerberos for distributed systems security
play

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, - PowerPoint PPT Presentation

Dec 14, 2023 •212 likes •494 views

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

  1. Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1

  2. Agenda • Distributed system security • Introduction to Kerberos • Kerberos Version 4 Authentication Protocol • Authentication with Kerberos in Windows NT 5 and Windows 2000 C. Ding - L17 2

  3. Distributed Systems Security C. Ding - L17 3

  4. Distributed Systems • A distributed system: a collection of computers linked via some network. • Characteristic: The components of the distributed system may be under the authority of different organizations, and may be governed by different security policies. – Example: The Internet C. Ding - L17 4

  5. Security Issues in Distributed Systems (1) • Impersonation of user: • A user may gain access to a particular workstation and pretend to be another user operating from that workstation. • Impersonation of workstation: • A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation. C. Ding - L17 5

  6. Security Issues in Distributed Systems (2) • Replay attacks: – A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations. • Conclusion: – In any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access. C. Ding - L17 6

  7. Security Services in Distributed Systems • Authentication ********************** • Guarding the boundaries of internal networks – Firewalls (covered in this course) • Access control to distributed objects – Access control techniques (not covered) • Availability – Counter DoS techniques (not covered) C. Ding - L17 7

  8. Security Policies • Fact: In a distributed system, users are not necessarily registered at the node they are accessing an object. • Question: How to authenticate a user? • Answer: usually, user ID + passwd C. Ding - L17 8

  9. Examples: Unix System • ftp : transfer files between Unix systems. • telnet , rlogin : remote access • use user identity and password for authentication; • New problem : How can my password travel through the network securely? C. Ding - L17 9

  10. Kerberos Version 4 Authentication Protocol C. Ding - L17 10

  11. Kerberos Version 4 • Centralized network authentication service • Developed in the Project Athena in MIT • In Greek Mythology, the three headed guard dog of Hades C. Ding - L17 11

  12. Environment Addressed • An open distributed environment in which • Users at workstations wish to access services on servers distributed throughout the network. • Servers can: • restrict access to authorized users and • authenticate requests for service. • Workstations cannot be trusted to identify its users correctly to network services. C. Ding - L17 12

  13. Requirements for Kerberos Secure: Opponent cannot impersonate a • user and the Kerberos service should not be a weak link. Reliable: Highly reliable Kerberos service • to ensure availability of supported services of application servers. Transparent : Users are only required to • enter a password once and don’t know the authentication. Scalable: System can support large • numbers of clients and servers. C. Ding - L17 13

  14. Kerberos 4 Overview • A basic third-party authentication scheme • Have an Authentication Server (AS) – users initially negotiate with AS to identify self – AS provides a non-corruptible authentication credential (ticket granting ticket TGT) • Have a Ticket Granting server (TGS) – users subsequently request access to other services from TGS on basis of users TGT C. Ding - L17 14

  15. 1. Each user shares a key with AS 2. TGS shares a key with AS 3. All servers are registered with AS C. Ding - L17 15

  16. Two Ideas in Kerberos • Protocol 1 – A à E_k(ID_A||ID_B||timestamp) à B – What security services are provided by this protocol? • Protocol 2 – A à E_k(ID_A||ID_B||ID_V||Period of validity) à B – V is the email server – K is a secret key shared by A and V – It is a ticket for B issued by A. B can use it for email services many times. C. Ding - L17 16

  17. Version 4 Authentication Dialogue Overview C. Ding - L17 18

  18. Differences between V4 and V5 C. Ding - L17 22

  19. Difference Between Version 4 & 5 (1) • Environmental shortcomings – Encryption system dependence • Any encryption algorithms can be used in v5 but only DES is possible in v4 – Internet protocol dependence • Only IP is possible → to use any internet protocol C. Ding - L17 23

  20. Difference Between Version 4 & 5 (2) • Environmental shortcomings – Ticket Lifetime • 1280 minutes (maximum time) → any length of time – Authentication Forwarding • V4 does not allow credentials issued to one client to be forwarded to some other host and used by some other client. V5 provides this capability. C. Ding - L17 24

  21. Difference Between Version 4 & 5 (3) • Technical deficiencies – Double encryption in V4. – PCBC encryption (a new mode of operation) • In v5, Standard CBC is used C. Ding - L17 25

  22. Authentication with Kerberos in Windows NT and Windows 2000 C. Ding - L17 26

  23. Kerberos 4: Protocol Overview Kerberos AS TGS 2 3 4 1 5 User/ Server Client 6 1. Request for TGS ticket 4. Ticket for Server 2. Ticket for TGS 5. Request for service 3. Request for Server ticket 6. Mutual authentication C. Ding - L17 27

  24. Authentication in Windows NT 5 and Windows 2000 • The main objective is to present the basic idea without technical details. • Those who wish to have details should read Kerberos 5 and details of Windows NT 5 and Windows 2000. C. Ding - L17 28

  25. The Basic Idea • Use a KDC to run the AS and TGS in Kerberos. • The KDC is located in the Domain Controller. • Use the TGT and service ticket as access tokens. C. Ding - L17 29

  26. Initial Kerberos Ticket Ticket Granting Ticket (TGT) • First ticket is a Ticket Granting Ticket – Used by client to get tickets to other services – Contains authorization data based on group membership and privileges • Ticket is encrypted in user’s key known by the KDC – Requires knowledge of password to use • Tickets are stored in a ticket cache managed by LSA (Local Security Authority). C. Ding - L17 30

  27. AS TGS C. Ding - L17 31

  28. Comments on Authentication with Kerberos • Single Sign-On – Simple administration – Good administrative control – Good user productivity – Good network security C. Ding - L17 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

751 views • 30 slides
Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all

5/20/2018 Distributed Systems How does the OS ensure security? 13C. Distributed Systems: Security all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure sessions processes cannot

129 views • 9 slides
Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems

5/27/2017 Distributed Systems How does the OS ensure security? 13C. Security for Distributed Systems all key resources are kept inside of the OS protected by hardware (mode, memory management) 13I. Secure Sessions processes cannot

253 views • 9 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading assignment: Chapters 13-14 G. Noubir, Network Security Kerberos Outline Kerberos V4 Kerberos V5 G. Noubir, Network Security Kerberos 2 What is

1.16k views • 9 slides
AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
Kerberos & X.509 11

Kerberos & X.509 11

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman Steffan Roobol 04-07-2019 Introduction Figure 1: Kerberos Protocol 2 Problem Figure 1: the LSASS process and Mimikatz. 3 Research Questions

520 views • 27 slides
Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key exchange Computer Science Lecture 18, page 1 Network Security Intruder may eavesdrop remove, modify, and/or insert messages read and

361 views • 11 slides
The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt

The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt

The Role of Trust Management in Distributed Systems Security (KeyNote) Darrell Hyatt Introduction For secure distributed systems, ACLs are inadequate Password-based protocols are insecure in a networked environment Centralized

252 views • 12 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/17/2017 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

572 views • 7 slides
Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges

5/19/2018 Distributed Systems Goals of Distributed Systems 13A. Distributed Systems: Goals & Challenges scalability and performance apps require more resources than one computer has 13B. Distributed Systems: Communication grow

131 views • 9 slides
Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010 https://www.isecpartners.com Agenda Conclusion What is Hadoop Old School Hadoop Risks The New Approach to Security Concerns

300 views • 29 slides
Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

11/27/17 Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27, 2017 Sprenkle - CSCI325 1 Kerberos Trusted third party, runs by default on port 88 Security objects: Ticket: token, verifying

407 views • 30 slides
Research Interests Distributed algorithms Distributed shared memory systems Distributed

Research Interests Distributed algorithms Distributed shared memory systems Distributed

Privacy & Security in Machine Learning / Optimization Nitin Vaidya University of Illinois at Urbana-Champaign disc.ece.illinois.edu Research Interests Distributed algorithms Distributed shared memory systems Distributed

1.2k views • 70 slides
The past, present, and future of artificial life Article review MSIIS 2014 Krisztin Kos

The past, present, and future of artificial life Article review MSIIS 2014 Krisztin Kos

Wendy Aguilar, Guillermo Santamara-Bonfil, Tom Froese and Carlos Gershenson The past, present, and future of artificial life Article review MSIIS 2014 Krisztin Kos Emergence of artificial life What makes the living different from the

363 views • 21 slides
In J.G. Frazers great work on mythology, The Golden Bough , he follows the oldest stories in the

In J.G. Frazers great work on mythology, The Golden Bough , he follows the oldest stories in the

In J.G. Frazers great work on mythology, The Golden Bough , he follows the oldest stories in the book back to their roots in the oral tradition and finds, amid the prototype plots and archetypal characters, the origins of narrative as we know

285 views • 6 slides
Before we begin Next Monday: Exam 1 Threads Thursday: Review session Send questions

Before we begin Next Monday: Exam 1 Threads Thursday: Review session Send questions

Before we begin Next Monday: Exam 1 Threads Thursday: Review session Send questions via e-mail. Introduction Any questions? Plan Threads Today: Introduction to threads Remember this from CS2? Tomorrow:

414 views • 6 slides
Voice for the Voiceless Cameron Purdy @cpurdy Software Developer 1989: Tiananmen When I

Voice for the Voiceless Cameron Purdy @cpurdy Software Developer 1989: Tiananmen When I

Voice for the Voiceless Cameron Purdy @cpurdy Software Developer 1989: Tiananmen When I started grade school and opened my text book, the first page Before Internet (BI) had the following sentence: I love Tiananmen in Beijing. [..] If

659 views • 39 slides
A bunch of problems, no solutions Wade Trappe WHAT DO YOU THINK OF WHEN YOU HEAR INTERNET

A bunch of problems, no solutions Wade Trappe WHAT DO YOU THINK OF WHEN YOU HEAR INTERNET

IoT Security Challenges: A bunch of problems, no solutions Wade Trappe WHAT DO YOU THINK OF WHEN YOU HEAR INTERNET OF THINGS ? WINLAB Fitbit WINLAB Zeo sleep manager WINLAB Smart home Nest, WallyHome, Dropcam, Ivee, Rachio

388 views • 28 slides
From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy: Explaining the

From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy: Explaining the

From Manufacturing Led Export Growth to a 21st Century Inclusive Growth Strategy: Explaining the Demise of a Successful Growth Model and What to Do About It Joseph E. Stiglitz WIDER Conference September 2018 I. Export-led growth model behind

460 views • 42 slides
The coming of age of statistics education in New Zealand Adjunct Professor Sharleen Forbes

The coming of age of statistics education in New Zealand Adjunct Professor Sharleen Forbes

The coming of age of statistics education in New Zealand Adjunct Professor Sharleen Forbes Statistics New Zealand & School of Government, Victoria University 1 Overview 1. The influencers a. Academics b. New Zealand Statistical

308 views • 19 slides
Word order variation in Mby Guaran Angelika Kiss Guillaume Thomas August 30, 2019

Word order variation in Mby Guaran Angelika Kiss Guillaume Thomas August 30, 2019

Word order variation in Mby Guaran Angelika Kiss Guillaume Thomas August 30, 2019 Department of Linguistics University of Toronto Word Order in Mby Tupi-Guaran language About 30,000 speakers: Argentina, Brazil, Paraguay

735 views • 37 slides

More recommend