Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006."— Presentation transcript:

1 Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006

2 METACentre Project Czech nation-wide Grid activity Infrastructure for distributed and high performance computing Major computing centres in the country Security architecture based on Kerberos (Co)-Authored a few Kerberos solutions (SSH, Web authN) Partner of international Grid projects (EGEE2)

3 PKI Overview Asymmetric cryptography Each user has a key-pair consisting of a public and private key Private key kept secred, public key spread among other users Digital signatures Private key used to generate digital signatures Public key used to verify the signature Similarly encryption

4 PKI - CAs How to get a correct public key? Independent identity providers – Certification authorities Digital certificates (X.509) Public key, key owner identity, validity, other auxiliary information signed by the CA key Only the CA key is distributed across the comunity Certificate revocation Building a trusted CA is a political and organizational problem not a technical issue

5 Kerberos vs. PKI Symmetric vs. asymmetric cryptography Performace Tickets vs. Certificates Similar concept Issued by identity providers Online KDC vs. offline CA Think of revocations (OCSP) Password vs. Private key Long-term private keys must be stored on disk, are maintaned by the user In real-word deployment many weakness in key management Revocation mechanism Not needed for Kerberos, can be source of troubles for PKI Scalability KDC must register every user Long-term digital signatures Email signing, encrypting is very common using PKI Message level security

6 Kerberos and PKI Combining PKI and Kerberos PKI is requested by large Grid projects We have never wanted to abandon Kerberos Credential conversions PKI to Kerberos Kerberos to PKI

7 PK-INIT IETF specification (draft) Adding public key based authentication to the AS_REQ/AS_REP messages Using pre-authentication mechanism PK-INIT only affects the initial authN step rest of the protocol is untouched (and transparent for the end services).

8 PK-INIT Protocol Client sends a public key (certificate) and signature KDC verifies the certificate (public key) and signature and check the request Public key must be bound to the client principal The KDC reply isn‘t encrypted with a principal key from the DB but with a new symmetric key The symmetric key is encrypted using the public key (or DH) The client verifies the reply, gets the key, decrypts the reply From this moment on the client proceeds as usual TGT can be used to ask other tickets

9 PK-INIT Implementation We implemented a first version the PK- INIT specs for Heimdal Accepted by Heimdal In production use in METACentre Support for Grid proxy certificates Integration with the user management system

10 PK-INIT and Smart Cards OpenSSL Engine Allows to use devices through #PKCS11 OpenSC framework iKey3000 USB token Combination of smart card and reader Currently distributing among users Works both on Unix and Windows

11 Smart Card Access kinit PKCS11 Engine Module OpenSSL Libs OpenSSL Engine Heimdal libs PKCS11 library Token configurable

12 Travelkits Unix Standard krb5 tools from the distribution PK-INIT enabled kinit command and auxiliary files (CA certificates) - rpm, deb MS Windows Standard Kerberos for Windows PK-INIT enabled kinit command etc. Part of Heimdal ported to Windows Kerberos enabled Putty and WinSCP clients

13 Kerberos to PKI Given a Kerberos ticket create a certificate and private key Easy access to the Grid, or other PKI based services (www) CA Creating certificates for Kerberos tickets Operating online Short-time certificates Private key can be unencrypted

14 Kerberos CA kCA Used in the Grid community (Fermilab) kx509, kpkcs11 MyProxy Very common service in Grid world On-line credential repository Latest versions support also CA mode

15 MyProxy 1. Client generates a new key-pair 2. Sends a CSR to the MyProxy server Connection secured by Kerberos 3. MyProxy server returns a signed certificate Using LDAP to map Kerberos principal to subject name Lifetime is copied from the ticket 4. Client stores credential on disk Generated private key and received certificate

16 PKI to Kerberos Credentials are stored in „Grid“ format Can be used by standard grid commands Other applications must be configured kpkcs11 library for PKCS11 aware apps Using the Windows certificate repository Conversions can be run transparently Login script on UI machines

17 Conclusions PKI and Kerberos can cooperate Multi-mechanim SSO possible

Download ppt "Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.

Similar presentations

Ads by Google