Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Slides:



Advertisements
Similar presentations
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
 Authorization via symmetric crypto  Key exchange o Using asymmetric crypto o Using symmetric crypto with KDC  KDC shares a key with every participant.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Public Key Infrastructure from the Most Trusted Name in e-Security.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Module 9: Fundamentals of Securing Network Communication.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.
Grid Access Toolkit for MS Windows Daniel Kouřil CESNET, MWSG meeting, Jun
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Advanced Authentication Campus-Booster ID: Copyright © SUPINFO. All rights reserved Kerberos.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
1 Example security systems n Kerberos n Secure shell.
Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.
Grid Security.
Cryptography and Network Security
Radius, LDAP, Radius used in Authenticating Users
Public Key Infrastructure from the Most Trusted Name in e-Security
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
Install AD Certificate Services
Presentation transcript:

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006

METACentre Project Czech nation-wide Grid activity Infrastructure for distributed and high performance computing Major computing centres in the country Security architecture based on Kerberos (Co)-Authored a few Kerberos solutions (SSH, Web authN) Partner of international Grid projects (EGEE2)

PKI Overview Asymmetric cryptography Each user has a key-pair consisting of a public and private key Private key kept secred, public key spread among other users Digital signatures Private key used to generate digital signatures Public key used to verify the signature Similarly encryption

PKI - CAs How to get a correct public key? Independent identity providers – Certification authorities Digital certificates (X.509) Public key, key owner identity, validity, other auxiliary information signed by the CA key Only the CA key is distributed across the comunity Certificate revocation Building a trusted CA is a political and organizational problem not a technical issue

Kerberos vs. PKI Symmetric vs. asymmetric cryptography Performace Tickets vs. Certificates Similar concept Issued by identity providers Online KDC vs. offline CA Think of revocations (OCSP) Password vs. Private key Long-term private keys must be stored on disk, are maintaned by the user In real-word deployment many weakness in key management Revocation mechanism Not needed for Kerberos, can be source of troubles for PKI Scalability KDC must register every user Long-term digital signatures signing, encrypting is very common using PKI Message level security

Kerberos and PKI Combining PKI and Kerberos PKI is requested by large Grid projects We have never wanted to abandon Kerberos Credential conversions PKI to Kerberos Kerberos to PKI

PK-INIT IETF specification (draft) Adding public key based authentication to the AS_REQ/AS_REP messages Using pre-authentication mechanism PK-INIT only affects the initial authN step rest of the protocol is untouched (and transparent for the end services).

PK-INIT Protocol Client sends a public key (certificate) and signature KDC verifies the certificate (public key) and signature and check the request Public key must be bound to the client principal The KDC reply isn‘t encrypted with a principal key from the DB but with a new symmetric key The symmetric key is encrypted using the public key (or DH) The client verifies the reply, gets the key, decrypts the reply From this moment on the client proceeds as usual TGT can be used to ask other tickets

PK-INIT Implementation We implemented a first version the PK- INIT specs for Heimdal Accepted by Heimdal In production use in METACentre Support for Grid proxy certificates Integration with the user management system

PK-INIT and Smart Cards OpenSSL Engine Allows to use devices through #PKCS11 OpenSC framework iKey3000 USB token Combination of smart card and reader Currently distributing among users Works both on Unix and Windows

Smart Card Access kinit PKCS11 Engine Module OpenSSL Libs OpenSSL Engine Heimdal libs PKCS11 library Token configurable

Travelkits Unix Standard krb5 tools from the distribution PK-INIT enabled kinit command and auxiliary files (CA certificates) - rpm, deb MS Windows Standard Kerberos for Windows PK-INIT enabled kinit command etc. Part of Heimdal ported to Windows Kerberos enabled Putty and WinSCP clients

Kerberos to PKI Given a Kerberos ticket create a certificate and private key Easy access to the Grid, or other PKI based services (www) CA Creating certificates for Kerberos tickets Operating online Short-time certificates Private key can be unencrypted

Kerberos CA kCA Used in the Grid community (Fermilab) kx509, kpkcs11 MyProxy Very common service in Grid world On-line credential repository Latest versions support also CA mode

MyProxy 1. Client generates a new key-pair 2. Sends a CSR to the MyProxy server Connection secured by Kerberos 3. MyProxy server returns a signed certificate Using LDAP to map Kerberos principal to subject name Lifetime is copied from the ticket 4. Client stores credential on disk Generated private key and received certificate

PKI to Kerberos Credentials are stored in „Grid“ format Can be used by standard grid commands Other applications must be configured kpkcs11 library for PKCS11 aware apps Using the Windows certificate repository Conversions can be run transparently Login script on UI machines

Conclusions PKI and Kerberos can cooperate Multi-mechanim SSO possible

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.