Doc.: IEEE 802.11-00/292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.

Slides:

Advertisements

Similar presentations

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Advertisements

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE

AUTHENTICATION AND KEY DISTRIBUTION

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

CS5204 – Operating Systems 1 A Private Key System KERBEROS.

Chapter 10 Real world security protocols

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

SCSC 455 Computer Security

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Akshat Sharma Samarth Shah

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

1 Distributed Computer Security: Authentication and Key Distribution Vijay Jain CSc 8320, Spring 2007.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

Authentication & Kerberos

Cryptography and Network Security Chapter 15 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Radius Security Extensions using Kerberos V5 draft-kaushik-radius-sec-ext.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

Information Security Depart. of Computer Science and Engineering 刘胜利 ( Liu Shengli) Tel:

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

EAP Keying Problem Draft-aboba-pppext-key-problem-03.txt Bernard Aboba

Doc.: IEEE /293 Submission September 2000 Jesse Walker and Bob BeachSlide 1 The GSS-API as an Security Service Jesse Walker, Intel Corporation.

KERBEROS. Introduction trusted key server system from MIT.Part of project Athena (MIT).Developed in mid 1980s. provides centralised private-key third-party.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Security CNS 4650 Fall 2004 Rev. 2 SSL, SASL, PKI.

Biometric Authentication in Distributed Computing Environments Vijai Gandikota Karthikeyan Mahadevan Bojan Cukic.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.

Computer and Network Security - Message Digests, Kerberos, PKI –

COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

KERBEROS SYSTEM Kumar Madugula.

Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.

@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Dr. Nermi hamza.  A user may gain access to a particular workstation and pretend to be another user operating from that workstation.  A user may eavesdrop.

Radius, LDAP, Radius used in Authenticating Users

CSCE 715: Network Systems Security

Kerberos Kerberos is a network authentication protocol and it is designed to provide strong authentication for client server applications. It uses secret.

Computer Security Distributed System Security

A Private Key System KERBEROS.

Kerberos in an ISP environment

Kerberos Kerberos Ticket.

A Joint Proposal for Security

Presentation transcript:

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies Jesse Walker, Intel Corporation

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 2 Purpose Provide the background to understand and evaluate the Symbol/Intel proposal to base security services on the GSS-API

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 3 Agenda What is the GSS-API? GSS-API Mechanisms

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 4 What is the GSS-API? (1) Generic Security Services Applications Programming Interface, defined by RFC 2743 –RFC 2744 gives standard ‘C’ bindings, RFC 2853 for Java bindings –but we will use it as an abstract service interface The GSS-API interface is implemented by GSS- API mechanisms –each mechanism is a security system –interface is independent of mechanisms

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 5 What is the GSS-API? (2) Credentials Management –GSS_Acquire_cred, GSS_Release_cred, GSS_Add_cred, etc. Context Management –GSS_Init_sec_context, GSS_Accept_sec_context, GSS_Delete_sec_context, GSS_Inquire_context, GSS_Context_time, etc. Per-Message Calls –GSS_Wrap, GSS_Unwrap, etc. Support Calls –GSS_Import_name, GSS_Export_name, GSS_Display_status, etc.

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 6 The GSS-API Model Step 1: Establish a security context Step 2: Use established security context to secure message exchanges

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 7 Establishing a Security Context InitiatorResponder GSS_Init_sec_context Peer ID GSS_Accept_sec_context GSS_Init_sec_context Authentication Token + Continue OK Authentication Token + OK

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 8 Using a Security Context Peer 1Peer 2 GSS_Wrap GSS_Unwrap DataWrapped DataData

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 9 Agenda What is the GSS-API? GSS-API Mechanisms

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 10 Some GSS-API Mechanisms SPNEGO (RFC 2478) - negotiate the other mechanisms Kerberos (RFC 1510, RFC 1964) - centralized key server based on shared secrets SPKM (RFC 2025) - 1- and 2-way public key based authentication LIPKEY (RFC 2847) - one-way authentication a la SSL; a species of SPKM SRP (draft-ietf-cat-srpgm-xx.txt) - secure remote password; a species of SPKM SASL (draft-ietf-cat-sasl-gssapi-xx.txt) - one time password PKINIT (draft-ietf-cat-kerberos-pk-init-xx.txt) - use public key to register secret with Kerberos KDC

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 11 SPNEGO InitiatorResponder GSS_Init_sec_context GSS_Accept_sec_context GSS_Init_sec_context Kerberos, SRP, SPKM + Continue OK Kerberos + OK

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 12 What is Kerberos? Authentication and Key Distribution Protocol Developed in late 1980s, latest version is Rev 5 RFC 1510; RFC 1964 fits it into GSS-API framework Default authentication protocol in Windows 2000 Domain Login Widely deployed in UNIX shops

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 13 How does Kerberos work? Three major elements: –Principal: a user or system (username, password) –Services (FTP, , telnet, RF services) –Key Distribution Center - maps principals to keys Three step model: –user mutually authenticates with KDC (KRB_AP_REQ/KRB_AP_REP exchange) –KDC issues user authorization to access a service (KRB_TGT_REQ/KRB_TGT_REP exchange) –user gains access to service by presenting authorization

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 14 User Authentication KRB_AP_REQ message asks the KDC for access to the Ticket Granting Service KDC creates a unique authentication key for authenticating self with Ticket Granting Service, encrypts it under the user’s password, and sends it back to the user in the KRB_AP_REQ message The user decrypts the message and gains access to the authentication key. Password is never sent over the airwaves

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 15 Issuing Authorization KRB_TGT_REQ asks for authorization to a particular service –message is protected with authentication key returned by KDC in KRB_AP_REP message KDC decrypts message and examines request. If request is OK, KDC creates a session key to be use between the user and the service. KRB_TGT_REP from KDC contains two copies of the session key, one encrypted under user’s authentication key, and other under service’s

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 16 Gaining Access to the Service User decrypts the KRB_TGT_REP message to get session key and a “ticket” for the server User prepares and sends token to server containing “ticket”, other info, encrypted under session key Service decrypts “ticket” using its own authentication key received from KDC and gains access to session key Decrypts rest of request and processes request Service sends reply to user to authenticate

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 17 Kerberos as used by GSS-API InitiatorResponderKDC GSS_Init_sec_context KRB_AP_REQ KRB_AP_REP KRB_TGT_REQ KRB_TGT_REP GSS_Accept_sec_context Ticket, Authenticator + Continue GSS_Init_sec_context Authenticator + OK OK

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 18 PKINIT + Kerberos InitiatorResponderKDC GSS_Init_sec_context KRB_TGT_REQ KRB_TGT_REP GSS_Accept_sec_context Ticket, Authenticator + Continue GSS_Init_sec_context Authenticator + OK OK

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 19 SPKM InitiatorResponder GSS_Init_sec_context GSS_Accept_sec_context SPKM parameters, n + Continue GSS_Init_sec_context Sig, SigCert, CryptCert + Continue GSS_Accept_sec_context Crypt(K) + OK OK

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 20 SRP InitiatorResponder GSS_Init_sec_context GSS_Accept_sec_context username, g a + Continue GSS_Init_sec_context g b + x, s, n + Continue database: username, x = g h(s,password), s GSS_Accept_sec_context Hash1(K) + Continue K = g ab x nb K = ((g b + x) - x) (a+nh(s, password) GSS_Init_sec_context Hash2(K) + OK OK

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 21 Conclusions GSS-API is –simple, well-defined interface –widely deployed and well-tested Kerberos is –simple to implement –a GSS-API mechanism providing mutual authentication and key distribution –widely deployed and well-tested

doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 22 Feedback?