Strong Authentication Project CD/DCD/Computer Security Team Fermi National Accelerator Laboratory Mark Kaletka Matt Crawford.

Slides:



Advertisements
Similar presentations
AUTHENTICATION AND KEY DISTRIBUTION
Advertisements

Chapter 10 Real world security protocols
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Access Control Chapter 3 Part 3 Pages 209 to 227.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Strong Authentication – System Design and Deployment Matt Crawford Fermilab Computer Security Team.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
Lecture 23 Internet Authentication Applications
Password?. Project CLASP: Common Login and Access rights across Services Plan
Password?. Project CLASP: Common Login and Access rights across Services Plan
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
Kerberos: A Network Authentication Tool Seth Orr University of Missouri – St. Louis CS 5780 System Administration.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.
Overview of the Multos construction process Chad R. Meiners.
Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Hands-On Microsoft Windows Server 2008
Information Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
CSC8320. Outline Content from the book Recent Work Future Work.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
W2K and Kerberos at FNAL Jack Mark
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
Authentication Proxy for the VistA Hospital Information System William Majurski Information Technology Laboratory.
Secure Active Network Prototypes Sandra Murphy TIS Labs at Network Associates March 16,1999.
Key Management. Given a computer network with n hosts, for each host to be able to communicate with any other host would seem to require as many as n*(n-1)
Fermilab Computer Security & Strong Authentication Project Mark Kaletka Computing Division Operating Systems Support Department.
 Apache Airavata Architecture Overview Shameera Rathnayaka Graduate Assistant Science Gateways Group Indiana University 07/27/2015.
Strong Authentication Plan Why What When How it affects You.
W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Module 5: Designing Security for Internal Networks.
Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
6/14/2001Liz Buckley-Geer - Ely Meeting1 Strong Authentication and what it means for MINOS Liz Buckley-Geer Fermilab.
Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Lisa Giacchetti AFS: What is everyone doing? LISA GIACCHETTI Operating Systems Support.
Strong Authentication Matt Crawford CD/DCD/Computer Security Team.
DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Module 3 l Objectives –Identify the security risks associated with specific NT Services –Understand the risk introduced by specific protocols –Identify.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.
Strong Authentication at FNAL Goals Design Status.
1 Example security systems n Kerberos n Secure shell.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Implementing Active Directory Domain Services
Building Systems That Flexibly Control Downloaded Executable Content
Computer Security Distributed System Security
Drew Hunt Network Security Analyst Valley Medical Center
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Strong Authentication Project CD/DCD/Computer Security Team Fermi National Accelerator Laboratory Mark Kaletka Matt Crawford

Philosophy "Scientific thinking and invention flourish best where people are allowed to communicate as much as possible unhampered.” -- Enrico Fermi

Why Stronger Authentication? F Reduce effort spent on intrusions & recovery; F Regulatory climate is demanding increased attention to access controls; F Management has agreed with the goals outlined in SLCCC-TWG white paper: Alternatives to Reusable Passwords: Robust Authentication

Requirements F Acceptable improvement in access controls: –must be adaptable to: changes in system security requirements; new threats; changes in computing styles; network connectivity; security options; –must allow for trust relationships with other secure domains or realms; –allow for some form of access by trusted individuals outside of trusted domains;

Requirements F Acceptable to the user community. There will be some increased inconvenience, but... –A single identifier can authorize access to multiple systems; –Fewer account name & password combinations to remember, maybe only one! F Run II schedule: –Implementation may be staged but must offer meaningful improvement for Collider Run-II (i.e. mid-next year);

Project Goals F Primary - –Prevent network disclosure of passwords. F Secondary - –Provide a single-signon environment. –Integrate AFS accounts & systems. –Simplify account management, especially terminations - take this burden off the system administrators. –Enforce password policies.

Strong Authentication - System Design

Four Realms F Strengthened Realm –Kerberos authentication required for all network logins. F Untrusted Realm –Hosts, on- or off-site, from which direct logins to Strengthened realm are not permitted. F Trusted Realm –An outside Kerberos realm with which we cross-authenticate. F Portal –Gateway between Untrusted and Strengthened.

Kerberos F Kerberos version 5 is a protocol for authentication of users and services (collectively called principals.) –Created at MIT, circa –Designed for use over insecure networks. –Still under active development. –Several commercial products are built on it. –Many Universities and Labs use it. F AFS uses the Kerberos version 4 protocol. F DCE uses Kerberos 5.

Enforcing Password Security F To avoid exposing Kerberos passwords, non-Kerberos network logins must be replaced with Kerberos - initial tickets must be obtained locally! –Easily configured. –May be verified by network scan. –Anonymous FTP is still allowed. F Password policies (dictionary check, aging, quality) are enforced by the master KDC.

Portal F Provides authentication for users who lack Kerberos software or secure network channels, and obtains their initial tickets. –Hardware tokens (CryptoCard) –One-time passwords (S/Key)

Untrusted to untrusted Untrusted

Strengthened to untrusted Strengthened Untrusted Strengthened to untrusted

Strengthened to strengthened Strengthened Key Distribution Center

Untrusted to strengthened Untrusted Strengthened Key Distribution Center

Pilot Project F OSS Department Build Cluster & CDF Run II Analysis Prototype: –Interim user, developer documentation; –Interim libraries & API’s for required OS’s & languages; –Interim kerberos principals, hw tokens; –Standard MIT distribution for required OS’s + specific local applications; –32 systems

Fin...

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.