Kerberos & X.509 11 - PDF document

Kerberos & �هدز�� X.509 ﻲﻨﺘﺒﻣ ﺮﺑ ﻞﺼﻓ 11 بﺎﺘﻛ زا Network Security, Principles and Practice,2nd Ed. ﺶﻳاﺮﻳوﻂﺳﻮﺗ هﺪﺷ : ﺪﻴﻤﺣ ﺎﺿر يرﺎﻳﺮﻬﺷ http://www.fata.ir http://mehr.sharif.edu/~shahriari �� ﻪﻧﺎﺴﻓاﻳﻧﺎﻧﻮﻲ � ﻪﻧﺎﺴﻓا ﺮﺳ ﻪﺳ ﮓﺳﻳﻧﺎﻧﻮﻲ : هزاورد نﺎﻈﻓﺎﺤﻣيﺎﻫﻢﻨﻬﺟ ! � دﺎﻤﻧ ﺎﻫﺮﺳ : Authentication � Authorization � Accounting � � ﻮﻫ زاﺮﺣا ﺎﻬﻨﺗ ﻞﻤﻋ رد ﻪﭼﺮﮔاﻳﺪﺷلﺎﻤﻋا ﺖ . �� ٢ ��

Motivation � يﺎﻬﻄﻴﺤﻣ ﺪﻳﺪﺟ : ترﻮﺻ ﻪﺑﻊﻳزﻮﺗ هﺪﺷ � ردﻚﻳﻂﻴﺤﻣ ﻊﻳزﻮﺗ شور ﻪﺳ هﺪﺷ ياﺮﺑ ﺖﻴﻨﻣا : � ﻪﺑ دﺎﻤﺘﻋاهﺎﮕﺘﺴﻳا يرﺎﻛ رد ﻲﻓﺮﻌﻣ لﺎﻤﻋا ودﻮﺧ ناﺮﺑرﺎﻛ ندﺮﻛ ﺖﺳﺎﻴﺳ ﻲﺘﻴﻨﻣا ﻲﻨﺘﺒﻣ ﺮﺑ ﻪﺳﺎﻨﺷ ناﺮﺑرﺎﻛ client � زﺎﻴﻧ زاﺮﺣا ﻪﺑ ﺖﻳﻮﻫ يﺎﻬﻤﺘﺴﻴﺳ ﻂﺳﻮﺗ راﺰﮔرﺎﻛ client ﻪﺑ ﺖﺒﺴﻧ ﺖﻳﻮﻫ ﻲﺳﺎﻨﺷ ناﺮﺑرﺎﻛ دﻮﺧ ﻲﻟو ﻪﺑ دﺎﻤﺘﻋا يﺎﻬﻤﺘﺴﻴﺳ � زﺎﻴﻧ زاﺮﺣا ﻪﺑ ﺖﻳﻮﻫ ﺮﻫ ﻚﻳﻪﺑﺖﺒﺴﻧ ناﺮﺑرﺎﻛ زا ﺲﻳوﺮﺳ ﻲﺘﺳاﻮﺧرد و ﺲﻜﻌﻟﺎﺑ �� ٣ �� سوﺮﺑﺮﻛ � ﻮﻫ زاﺮﺣاﻳرﺎﮕﻧ ﺰﻣر سﺎﺳا ﺮﺑ ﺖيﻠﻛﻴﺪﻲﻔﺨﻣ ) نرﺎﻘﺘﻣ ( MIT � ﺣاﺮﻃﻲردهﺪﺷ � ﺎﺟ ﻪﺑيﻮﻫزاﺮﺣا ﻳترﻮﺻ ﻪﺑ راﺰﮔرﺎﻛ ﺮﻫ رد ﺖزﻮﺗ ﻳ،هﺪﺷ ﻊﻳﻚ ﻮﻫ زاﺮﺣا ﻪﺑ ار صﺎﺧ راﺰﮔرﺎﻛﻳﻣصﺎﺼﺘﺧا ﺖﻴﻫﺪﻴﻢ � يﺎﻫ ﻪﺨﺴﻧ 4 و 5 ﺪﻨﺘﺴﻫ هدﺎﻔﺘﺳا لﺎﺣ رد نآ ٤ ��

ﺎﻬﻳﺪﻨﻣزﺎﻴﻧ / ﻲﻣﻮﻤﻋ يﺎﻬﻴﮔﮋﻳوسوﺮﺑﺮﻛ Common � ﻲﻣﻮﻤﻋندﻮﺑ ) ( � ردﻂﻴﺤﻣ ﻊﻳزﻮﺗ ﺎﺑ هاﺮﻤﻫ هﺪﺷ يﺎﻫروﺮﺳ وﺰﻛﺮﻤﺘﻣ ﺮﻴﻏﺰﻛﺮﻤﺘﻣ Security � ﻴﻨﻣا ﺖ ) ( � يﺎﻋدا ﻲﻠﺻا Reliability � ﻤﻃاﻴنﺎﻨ ) ( � نﺎﻨﻴﻤﻃا زا ﻲﺳﺮﺘﺳد يﺮﻳﺬﭘ راﺰﮔرﺎﻛ ﺖﻳﻮﻫ ﻲﺳﺎﻨﺷ ) سوﺮﺑﺮﻛ ( Transparency � ﻴﻓﺎﻔﺷ ﺖ ) ( � ﺎﺑ ناﺮﺑرﺎﻛﻳﺳﺪﻴﺪﻨﻧﺎﻤﻫ ار ﻢﺘﺴﻳﺳﻚﻴهدﺎﺳ ﻢﺘﺴ “ ﻪﺳﺎﻨﺷ ﻪﻤﻠﻛ ورﻮﺒﻋ ” ﺒﺑﻴﺪﻨﻨ . Scalability � ﻘﻣﻴسﺎﺬﭘﻳﺮي ) ( � ﺖﻴﻠﺑﺎﻗ رﺎﻛ داﺪﻌﺗ ﺎﺑ يدﺎﻳز ﻦﻴﺷﺎﻣ ﺮﺑرﺎﻛ وراﺰﮔرﺎﻛ �� ٥ �� ﻲﻣﻮﻤﻋ يﺎﻬﻴﮔﮋﻳوسوﺮﺑﺮﻛ � ﺪﻨﭼﻒﻳﺮﻌﺗ � ﻪﻨﻣاد : ﻚﻳهدوﺪﺤﻣ ﻲﺳﺮﺘﺳد ﺺﺨﺸﻣ ار ﻲﻣﺪﻨﻛ . ﻪﺑﻲﻋﻮﻧ ﻪﻨﻣاد لدﺎﻌﻣ يﺎﻫ ﻒﻳﺮﻌﺗ رد هﺪﺷزوﺪﻨﻳو ﻲﻣﺪﺷﺎﺑ . � ﺰﻛﺮﻣﻊﻳزﻮﺗ ﺪﻴﻠﻛ : سوﺮﺑﺮﻛ راﺰﮔرﺎﻛ لدﺎﻌﻣﻲﻣﺪﺷﺎﺑ . Principal � : ﻪﺑﺲﻳوﺮﺳ ﻪﻴﻠﻛ وناﺮﺑرﺎﻛ ،ﺎﻫ هﺎﮕﺘﺳد ،ﺎﻫ يﺮﺻﺎﻨﻋ ﻪﻛ جﺎﻴﺘﺣا ﻪﺑ ﻪﺘﻔﮔ ،ﺪﻧراد سوﺮﺑﺮﻛ راﺰﮔرﺎﻛ ﻪﺑ دﻮﺧ نﺪﻧﺎﺳﺎﻨﺷﻲﻣدﻮﺷ . ٦ ��

سو�� ياﺮﺑ ﻲﻓﺮﻌﻣ سوﺮﺑﺮﻛ زا مﺎﮔ ﻪﺑ مﺎﮔ ترﻮﺻ ﻪﺑ يﺎﻬﻠﻜﺗوﺮﭘ عوﺮﺷ هدﺎﺳﻲﻣﻢﻴﻨﻛ وﻲﻌﺳ ﻲﻣﻢﻴﻨﻛ ﺮﻫ تﻻﺎﻜﺷا ﻚﻳار فﺮﻃﺮﺑ ﻢﻴﻨﻛ ﻪﺑ ﺎﺗ سوﺮﺑﺮﻛ ﻢﻴﺳﺮﺑ . �� ٧ �� هدﺎﺳ گﻮﻟﺎﻳد زاﺮﺣاﺖﻳﻮﻫ -0 AS راﺰﮔرﺎﻛ ﺮﻫ وﻚﻳﺪﻴﻠﻛدراد دﻮﺟو كﺮﺘﺸﻣ . صﺮﻓ : ﻦﻴﺑ راﺰﮔرﺎﻛ زا ﺎﻣﺮﻓرﺎﻛ ﻂﺳﻮﺗ تﺎﻣﺪﺧ ﺖﺳاﻮﺧرد : Client � AS: ID client || Pass Client || ID Server 1. AS � Client: Ticket 2. Client � Server: ID client || Ticket 3. AS : Authentication Server ﻮﻫ زاﺮﺣا راﺰﮔرﺎﻛﻳﺖ K server : Shared key between AS and Server Ticket = E Kserver [ID client || Addr client || ID server ] ٨ ��

ﻂﻴﻠﺑ وﺮﻤﻠﻗ ﻪﺑ ﺮﺑرﺎﻛ دورو مﺎﮕﻨﻫ ﻪﻛ ﺖﺳا ﻲﻫاﻮﮔ ﻲﻋﻮﻧ ﻊﻗاو رد سوﺮﺑﺮﻛ ﻊﺑﺎﻨﻣ ﻪﺑ ﻲﺳﺮﺘﺳد ياﺮﺑ وا رﺎﺒﺘﻋا ﺮﮕﻧﺎﻴﺑ ﻪﻛ دﻮﺷ ﻲﻣ هداد وا ﻪﺑ ﺪﺷﺎﺑ ﻲﻣ ﻪﻜﺒﺷ . �� ٩ �� ﻲﺳرﺮﺑ گﻮﻟﺎﻳد � ﺎﻣﺮﻓرﺎﻛ سردآ اﺮﭼ (Client) ﻠﺑرد ﻴﻣﺮﻛذ ﻂﻴ؟دﻮﺸ � ردﺮﻴﻏ ﻦﻳا ﺮﻫ ترﻮﺻ ﻲﺼﺨﺷ ﻪﻛ ﻂﻴﻠﺑ زا ار ﻖﻳﺮﻃ دروآ ﺖﺳد ﻪﺑ دﻮﻨﺷ ﺰﻴﻧ ﺪﻧاﻮﺘﻴﻣ ﺪﻨﻛ هدﺎﻔﺘﺳا تﺎﻧﺎﻜﻣا زا . ردهﺪﺷ ﺮﻛذ سردآ ﻪﺑ تﺎﻣﺪﺧ ﺎﻬﻨﺗ نﻮﻨﻛا ﺎﻣاﻂﻴﻠﺑ ﻪﻳارا دﻮﺸﻴﻣ . � سردآ ﻞﻌﺟ ﻞﻜﺸﻣ ID client � ﺎﻣﺮﻓرﺎﻛ ﻪﺳﺎﻨﺷ اﺮﭼ لﺎﺳرا هﺪﺸﻧ ﺰﻣر ترﻮﺻ ﻪﺑ مﻮﺳ مﺎﮔ رد ﻣﻴ؟دﻮﺸ � اﺮﻳز ﻦﻳا ترﻮﺻ ﻪﺑ تﺎﻋﻼﻃا يرﺎﮕﻧﺰﻣر رد هﺪﺷ ﻂﻴﻠﺑدراد دﻮﺟو . � ﺎﺑ ﻪﺳﺎﻨﺷ ﺮﮔا ﻂﻴﻠﺑ تﺎﻣﺪﺧ ﺪﺷﺎﺑ ﻪﺘﺷاﺪﻧ ﺖﻘﺑﺎﻄﻣ ﻪﻳارا ﻲﻤﻧﺪﻧﻮﺷ . ١٠ ��

تﻼﻜﺸﻣ هدﺎﺳ گﻮﻟﺎﻳد زاﺮﺣاﺖﻳﻮﻫ -0 � ﻲﻨﻣاﺎﻧ � رﻮﺒﻋ ﻪﻤﻠﻛ لﺎﺳرا راﺬﮔﺰﻣر نوﺪﺑي ) ﺑﻪﻞﻜﺷ ﺢﺿاو ﻦﺘﻣ ( � راﺮﻜﺗ ﻪﻠﻤﺣ نﺎﻜﻣا � ﻲﻳآرﺎﻛﺎﻧ � موﺰﻟ يﺎﺿﺎﻘﺗ ﻂﻴﻠﺑ ﺪﻳﺪﺟ ياﺮﺑ ﺮﻫ ﺖﻣﺪﺧ �� ١١ �� ﻂﻴﻠﺑ زا دﺪﺠﻣ هدﺎﻔﺘﺳاﺎﻫ Tickets � اﺮﭼ ﻂﻴﻠﺑ زا دﺪﺠﻣ هدﺎﻔﺘﺳا ﺎﻫ ) ( ﻤﻫا ﻴ؟دراد ﺖ � ﮔﻮﻠﺟﻴﺮيﺎﺗزا ﻳردرﻮﺒﻋ ﻪﻤﻠﻛ دﺪﺠﻣ ﭗﻳﻧﺎﻣز هزﺎﺑ ﻚﻲهﺎﺗﻮﻛ � ﺖﻴﻓﺎﻔﺷ زاﺮﺣا ﺖﻳﻮﻫ � ﻪﺟﻮﺘﻣ ﺮﺑرﺎﻛ يﺎﻫﺪﻨﻳآﺮﻓ ﺖﻳﻮﻫ ﻲﺳﺎﻨﺷ ﻲﻤﻧدﻮﺷ . ١٢ ��

ﺶﻳاﺰﻓا ﻲﻨﻤﻳا - دﻳگﻮﻟﺎ 1 � زا هدﺎﻔﺘﺳاﻳﺪﺟراﺰﮔرﺎﻛ ﻚﻳﻠﺑهﺪﻨﻨﻛ ﺎﻄﻋا راﺰﮔرﺎﻛ مﺎﻧ ﺎﺑ ﺪﻴﻂ TGS: Ticket Granting Server � AS � راﺰﮔرﺎﻛ ﺖﻳﻮﻫ زاﺮﺣا، ،دراد دﻮﺟو نﺎﻛﺎﻤﻛ . ticket-granting ticket � ﻠﺑﻴﻂ “ ءﺎﻄﻋاﻠﺑﻴﻂ ” ردﺎﺻ نآ ﻂﺳﻮﺗ ﻲﻣدﻮﺷ . TGS ﻣردﺎﺻ ﻴﺪﻧﻮﺸ . � ﻠﺑ ﻪﭼﺮﮔا ﻴيﺎﻬﻄ ﻂﺳﻮﺗ تﺎﻣﺪﺧ ءﺎﻄﻋا service-granting ticket � ﻠﺑﻴﻂ “ ءﺎﻄﻋا تﺎﻣﺪﺧ ” AS � رﻮﺒﻋ ﻪﻤﻠﻛ لﺎﻘﺘﻧا زا بﺎﻨﺘﺟا ﭘندﺮﻛ ﺰﻣر ﺎﺑ ﻴراﺰﮔرﺎﻛ مﺎ ﺖﻳﻮﻫ زاﺮﺣا ) ( ﺎﻣﺮﻓرﺎﻛ ﻪﺑ ﻠﻛ ﻂﺳﻮﺗ ﻴرﻮﺒﻋ ﻪﻤﻠﻛ زا هﺪﺷ ﻖﺘﺸﻣ ﺪ �� ١٣ �� ﺶﻳاﺰﻓا ﻲﻨﻤﻳا - دﻳگﻮﻟﺎ 1 TGS Client 1. ID Client || ID TGS 3. ID Client || ID Server || Ticket TGS 2. E K Client [Ticket TGS ] 4. Ticket Server 5. ID Client || Ticket Server Log In AS ﻪﺴﻠﺟ ﻚﻤﻛ ﺎﺑ ﺎﻣﺮﻓرﺎﻛﺪﻴﻠﻛ AS ودﻮﺧ كﺮﺘﺸﻣ TGS ار ﻂﻴﻠﺑ ﻲﺑﺎﻳزﺎﺑ ﺪﻨﻜﻴﻣ . = Ticket E [ID || Addr || ID || Timestamp || Lifetime ] TGS K Client Client TGS 1 1 TGS = Ticket E [ID || Addr || ID || Timestamp || Lifetime ] Server K Client Client Server 2 2 Server ١٤ �� Server

Kerberos & X.509 11 - PDF document

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Kerberos Working Group UTF-8 Stringprep Profile UTF-8 Stringprep Profile Goals and Principles

CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin

PROVING WHO YOU ARE TLS & THE PKI CMSC 414 MAR 29 2018 RECALL OUR PROBLEM WITH

Scalable & Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular

Cryptography [Finish Asymmetric Cryptography] Spring 2020 Earlence Fernandes

RevCast : Fast, Private Certificate Revocation over FM radio Aaron Schulman Stanford University

Kerberos & X.509 11 - PDF document

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Kerberos Working Group UTF-8 Stringprep Profile UTF-8 Stringprep Profile Goals and Principles

CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin

PROVING WHO YOU ARE TLS &amp; THE PKI CMSC 414 MAR 29 2018 RECALL OUR PROBLEM WITH

Scalable &amp; Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular

Cryptography [Finish Asymmetric Cryptography] Spring 2020 Earlence Fernandes

RevCast : Fast, Private Certificate Revocation over FM radio Aaron Schulman Stanford University

PROVING WHO YOU ARE TLS & THE PKI CMSC 414 MAR 29 2018 RECALL OUR PROBLEM WITH

Scalable & Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular