ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3

Overview Goal of the project Project Progress Closer look at the TGTs Few security issues in Kerberos Brief intro to Kerberos commands Few screen shots Immediate tasks ahead

Goal of the Project  The goal of the project is to allow clients access the service servers in a secure and controlled manner using Kerberos

Project Progress Installed Kerberos version5 Assigned password for pre-authentication  Working on incorporating SRP protocol in pre- authentication

Closer look at the TGT Version no: Msg Type ID Username Req. Ticket Instance Kerberos Realm Ts Req. Ticket Life-time Req. Service Instance 1 byte String 4 Bytes1 byteStringstring TGT : Ticket-to-get-Ticket(between client and authentication server to get access to get access to Ticket Granting Server) There are 9 field in a TGT request TGT Request Format

Contd.. The server can’t authenticate the TGT packet An intruder can construct a similar looking packet It can be indistinguishable from the legitimate packet

Contd.. Kerberos authenticates the client by sending back an encrypted packet The packet is encrypted using the key from the user’s password If the user enters the correct password upon logging in, the client can decrypt the packet to obtain the valid TGT Unauthorized users get random useless bits

TGT Return Packet Format Session key Service Name Instance Realm TGT life- time Ver no: Encry. Ticket Length Encry. Ticket Block Ts 8 bytesString 1 byte Field 74 bytes Ticket length and Ticket block are encrypted using the key derived from the user’s password.

In Enemy Hands Prone to Dictionary Attack –Password cracker Intruder sends a fake TGT request and saves the encrypted TGT to a file He then trial tests the password(P) 1.Convert P to DES key(K): K=string-to-key(P) 2.Decrypt TGT with K and check if it is the valid TGT 3.If so, P is the user’s password

Timestamp in Pre-authentication Including Ts during pre-authentication C S Drawback: Prevents an attacker from requesting TGT; but does not prevent an eavesdropper from capturing E k {Ts} or E k {TGT} R, E k {Ts } E k {TGT }

Solution: Stronger Cryptography A variant of public-key cryptography Secure Remote Password(SRP) – Properties: Resistant to dictionary attack Secure even if the password is of low entropy Only one password can be guessed per attempt in SRP 6 SRP can be incorporated into Krb v5 as a pre- authentication mechanism

Getting the Tickets kinit –forwards request for TGT to KDC KDC encrypts TGT with pswrd and sends back kinit has following options - l(lifetime) - f(forwardable tickets) -r(renewable life)

Listing the Tickets klist – lists the tickets of the authenticated user. output of an unsuccessful authentication is: klist: No credentials cache file found (ticket cache /tmp/krb5cc_1234)

Contd.. klist provides: – Information of all tickets – Expiration time of each ticket – Flags that apply to the ticket Example: Ticket cache: /tmp/krb5cc_1234 Valid starting Expires 29 Jul 98 11:25:47 30 Jul 98 12:25:42

Changing Kerberos Password Kpasswd is used for changing Kerberos passwords – kpasswd: Changing password – Old password: your_old_password – kpasswd:your_new_password – New password (again): your_new_password – Kerberos password changed

Immediate Tasks Ahead  Clock Synchronization  Setting the Master key

Clock Synchronization All clocks within the organization must be synchronized Very important – Protects against replay attack Possible solution: – Installing time server on one machine and having all clients synchronize their clocks with this machine

Setting the Master Key Database master key – protects from accidental disclosure Derived from pass phrase and stored in stash file Don’t back up stash file while making backups of database in a tape – Master key: Verifying password – Master key:

References

Thank You!