Kerberos in an ISP environment

Slides:



Advertisements
Similar presentations
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Chapter 10 Real world security protocols
> Nicolas FISCHBACH Senior IP&Security Engineer - Professional Services Team - > Sébastien LACOSTE-SERIS.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.
SCSC 455 Computer Security
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Access Control Chapter 3 Part 3 Pages 209 to 227.
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
Authentication & Kerberos
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
CS470, A.SelcukKerberos1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Kerberos: A Network Authentication Tool Seth Orr University of Missouri – St. Louis CS 5780 System Administration.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Introduction to Kerberos Kerberos and Domain Authentication.
Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Group 11 CSE 8343 Group 1 Windows 2000 Domain Security & Authentication.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Netprog: Kerberos1 KERBEROS. Contents: Introduction History Components Authentication Process Strengths Weaknesses and Solutions Applications References.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
W2K and Kerberos at FNAL Jack Mark
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
ACCESS CONTROL MANAGEMENT Project Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3.
W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.
W2K Integration in the Kerberos5 based AFS cell le.infn.it Enrico M. V. Fasanelli I.N.F.N. – Sezione di Lecce Catania,
RADIUS What it is Remote Authentication Dial-In User Service
CPS Computer Security Tutorial on Creating Certificates SSH Kerberos CPS 290Page 1.
Advanced Authentication Campus-Booster ID: Copyright © SUPINFO. All rights reserved Kerberos.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
KERBEROS SYSTEM Kumar Madugula.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
COMP1321 Digital Infrastructure Richard Henson March 2016.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
Kerberos OLC Training What is it? ● A three-headed dog that guards the entrance to Hades. ● A network authentication protocol that also.
Working at a Small-to-Medium Business or ISP – Chapter 8
Radius, LDAP, Radius used in Authenticating Users
Kerberos: An Authentication Service for Open Network Systems
Computer Security Distributed System Security
Kerberos in an ISP environment
Presentation transcript:

Kerberos in an ISP environment UNIX/Win2K/Cisco > Nicolas FISCHBACH nico@securite.org - http://www.securite.org/nico/ > Sébastien LACOSTE-SERIS kaneda@securite.org - http://www.securite.org/kaneda/ version 1.13

Agenda  Kerberos > Introduction : why did we choose Kerberos ? > Protocol and Exchanges > MIT Kerberos and Applications > Attacks  Deployment > UNIX > Cisco Routers and Switches > Win2K  Q&A © 2001 Sécurité.Org

What is Kerberos ?  Kerberos is a network authentication protocol/system  Uses time synchronization to : > limit the use of the keys > help in detecting replay attacks  Mutual authentication  Uses DES and shared keys  Trusted third party © 2001 Sécurité.Org

What is Kerberos not ?  Kerberos does not provide authorization only authentication  Kerberos does not provide data encryption © 2001 Sécurité.Org

Why use Kerberos ?  Secure authentication (cryptography)  No password transmission  Single Sign On > SSO is bad for security (Bruce Schneier)  Centralized authentication management  IETF Standard (RFC 1510) © 2001 Sécurité.Org

Kerberos vocabulary (1)  KDC : Key Distribution Center. Holds a database of clients and servers (called principals) and their private keys  principal : three-tuple <primary name, instance, realm> > user : login/staff@REALM > service : service/host.fqdn@REALM  primary : username or service name  instance : “qualifies” the primary (role)  realm : authentication domain © 2001 Sécurité.Org

Kerberos vocabulary (2)  keytab : file containing one or more keys (for hosts or services). Also known as SRVTAB.  client : an entity that can obtain a ticket (user or host)  service : host, ftp, krbtgt, pop, etc.  ticket : credentials (identity of a client for a particular service)  TGT : ticket issued by the AS. Allows the client to obtain additional tickets for the same realm. © 2001 Sécurité.Org

Key Distribution Center  Responsible for maintaining master keys for all principles and issuing Kerberos tickets  Authentication Service (AS) gives the client a session key and a Ticket Granting Ticket (TGT)  Distributes service session keys and ticket for the service via a Ticket Granting Service (TGS) © 2001 Sécurité.Org

Kerberos Protocol (1)  Kerberos Ticket Encrypted Domain Principal Name Ticket Flags Encryption Key Start Time End Time Host Address Authorization Data Encrypted © 2001 Sécurité.Org

Kerberos Protocol (2)  Kerberos Ticket Exchanges  Ports : kinit: 88/udp kpasswd (Unix): 749/tdp kpasswd (Win): 464/{tcp,udp} Key Distribution Center Authentication Service Ticket Granting Service User Network Service © 2001 Sécurité.Org

Kerberos Protocol (3)  Getting a Ticket Granting Ticket (1+2) > (1) TGT Request > (2) TGT (to be decrypted with the user’s password hash) Client KDC TGT Request (1) TGT (2) © 2001 Sécurité.Org

Kerberos Protocol (4)  Getting and using a Service Ticket (3+4+5) > (3) ST Request (with a TGT) > (4) ST and session key > (5) ST for authentication KDC ST Request (3) Client ST and SK (4) ST (5) Server © 2001 Sécurité.Org

Kerberos Protocol (5)  Kerberos delegation Server KDC ST Request Client TGT + ST ST and SK ST Server © 2001 Sécurité.Org

Realms  A Realm is an authentication domain > one Kerberos database and a set of KDCs  Hierarchical organization (new in v5)  One or two way authentication  Cross-realm authentication > transitive cross-realm > direct between realms © 2001 Sécurité.Org

Kerberos Protocol (6)  Authentication across domains KDC TGT Request Client KDC TGT ST Request ST and SK ST and SK Server © 2001 Sécurité.Org

MIT distribution  Version used : 5.1  Provides client and server  Supported platforms : UNIXes (xBSD, Linux, Solaris, AIX, HP-UX, OSF/1, ...) MacOS 10  DNS can be used for lookups © 2001 Sécurité.Org

Kerberized applications  telnet (with DES encryption) and r-commands  CVS and ksu, klogin, k*  SSH 1.2 supports Kerberos V (run at least version 1.2.30)  SSL v3.0  Cygnus Kerbnet (NT, MAC, Unix)  samba doesn’t (related to MS extensions) © 2001 Sécurité.Org

How to Kerberize an application  All applications can be adapted  Use of the GSS API  Transport the ticket within an application © 2001 Sécurité.Org

NAT issues  Host address is included in the tickets  Need to add NATed IP address in the ticket  Patch for MIT Kerberos 5.1 © 2001 Sécurité.Org

Attacks against Kerberos (1)  Vulnerability in Kerberos password authentication via KDC AS spoofing : keytab file and register principals for the service (http://www.monkey.org/~dugsong/kdcspoof.tar.gz)  Replay attacks : detected (C+S are time synchronized)  Exposed keys : keys have a limited lifetime but are multi-session keys  Temporary file vulnerability : run krb5-1.2.1+ © 2001 Sécurité.Org

Attacks against Kerberos (2)  Passwords guessing : use a good passphrase  Trojaned clients : OTP  Implicit trust between realms  Ticket forwarding  Others : KDC, shared workstations, ... © 2001 Sécurité.Org

*NIX clients  RedHat (6.2 and 7) provides Kerberos V support > Install patch RHSA-2001:025-14  Solaris/OpenBSD only provide Kerberos IV © 2001 Sécurité.Org

Kerberos V on *NIX clients (1)  Authentication managed by Kerberos API  Authorizations defined in user files : ~/.k5login - defines the principal(s) who can login into account that account ~/.k5users - defines commands that can be launched via ksu (sudo like)  PAM alternatives © 2001 Sécurité.Org

Kerberos V on *NIX clients (2)  Kerberized Telnet : available  Kerberized SSH : > SSH.Com’s SSH 1.2.x and 2.x support Kerberos V > OpenSSH (as of 2.5.1) doesn’t yet support Kerberos V : http://www.sxw.org.uk/computing/patches/ © 2001 Sécurité.Org

Kerberos V on Cisco equipment (1)  Cisco Routers > Kerberized Telnet > Password authentication using Kerberos (telnet, SSH and console) > Can map instance to Cisco privilege (locally defined)  Cisco Switches > Telnet only (SSH available as of 6.1 but w/o Kerberos support) © 2001 Sécurité.Org

Kerberos V on Cisco equipment (2)  IOS & memory issues on routers : > Feature name : Kerberos V client support > Needed Feature set : at least Enterprise > Not supported on all hardware, for example : - Cisco 16xx router - Cisco GSR (12xxx - Gigabit Switch Router) > Memory requirements : Hint: always check with the Cisco IOS Feature Navigator © 2001 Sécurité.Org

Kerberos V on Cisco equipment (3)  Router Configuration : aaa authentication login default krb5-telnet local aaa authorization exec default krb5-instance kerberos local-realm COLT.CH kerberos srvtab entry host/bgp1.colt.ch@COLT.CH ... kerberos server COLT.CH 192.168.0.14 kerberos instance map engineering 15 kerberos instance map support 3 kerberos credentials forward line vty 0 4 ntp server 192.168.0.126 © 2001 Sécurité.Org

Kerberos V on Cisco equipment (4)  CatOS & memory issues on switches : > At least Supervisor Engine Software Release 5.x > Only supported on Catalyst 4000, 5000 and 6000/6500 > Only supported on SE I (not SE II) on Cat6K > Memory requirements : Hint: always check the Release Notes © 2001 Sécurité.Org

Kerberos V on Cisco equipment (5)  Switch Configuration : #kerberos set kerberos local-realm COLT.CH set kerberos clients mandatory set kerberos credentials forward set kerberos server COLT.CH 192.168.0.82 88 set kerberos srvtab entry host/sw1.colt.ch@COLT.CH ... #authentication set authentication login kerberos enable telnet primary set authentication enable kerberos enable telnet primary #ntp set ntp client enable set ntp server 192.168.0.11 © 2001 Sécurité.Org

Kerberos V on Win2K stations (1)  Provides Kerberos authentication for interactive logons  The protocol is a Security Provider under the SPPI (Security Support Provider Interface) and is linked to the LSA (Local Security Authority)  Ticket cache is provided by the LSA  Telnetd supports Kerberos © 2001 Sécurité.Org

Kerberos V on Win2K stations (2)  Support Tools  Win2K station configuration : ksetup /setdomain COLT.CH ksetup /addkdc COLT.CH kdc.colt.ch ksetup /setmachpassword password ksetup /mapuser user@COLT.CH localuser ksetup /mapuser * *  Windows Time Server (+ registry)  No kerberized SSH, only a few (broken) telnet clients © 2001 Sécurité.Org

That’s all folks :-)  Latest version, goodies and additional information < http://www.securite.org/presentations/krb5/ >  Q&A Picture: http://www.inforamp.net/~dredge/funkycomputercrowd.html © 2001 Sécurité.Org