Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3.

Published byTimothy Maxwell Modified over 9 years ago

Similar presentations

Presentation on theme: "ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3."— Presentation transcript:

1 ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3

2 Overview Goal of the project Project Progress Closer look at the TGTs Few security issues in Kerberos Brief intro to Kerberos commands Few screen shots Immediate tasks ahead

3 Goal of the Project  The goal of the project is to allow clients access the service servers in a secure and controlled manner using Kerberos

4 Project Progress Installed Kerberos version5 Assigned password for pre-authentication  Working on incorporating SRP protocol in pre- authentication

5 Closer look at the TGT Version no: Msg Type ID Username Req. Ticket Instance Kerberos Realm Ts Req. Ticket Life-time Req. Service Instance 1 byte String 4 Bytes1 byteStringstring TGT : Ticket-to-get-Ticket(between client and authentication server to get access to get access to Ticket Granting Server) There are 9 field in a TGT request TGT Request Format

6 Contd.. The server can’t authenticate the TGT packet An intruder can construct a similar looking packet It can be indistinguishable from the legitimate packet

7 Contd.. Kerberos authenticates the client by sending back an encrypted packet The packet is encrypted using the key from the user’s password If the user enters the correct password upon logging in, the client can decrypt the packet to obtain the valid TGT Unauthorized users get random useless bits

8 TGT Return Packet Format Session key Service Name Instance Realm TGT life- time Ver no: Encry. Ticket Length Encry. Ticket Block Ts 8 bytesString 1 byte Field 74 bytes Ticket length and Ticket block are encrypted using the key derived from the user’s password.

9 In Enemy Hands Prone to Dictionary Attack –Password cracker Intruder sends a fake TGT request and saves the encrypted TGT to a file He then trial tests the password(P) 1.Convert P to DES key(K): K=string-to-key(P) 2.Decrypt TGT with K and check if it is the valid TGT 3.If so, P is the user’s password

10 Timestamp in Pre-authentication Including Ts during pre-authentication C S Drawback: Prevents an attacker from requesting TGT; but does not prevent an eavesdropper from capturing E k {Ts} or E k {TGT} R, E k {Ts } E k {TGT }

11 Solution: Stronger Cryptography A variant of public-key cryptography Secure Remote Password(SRP) – Properties: Resistant to dictionary attack Secure even if the password is of low entropy Only one password can be guessed per attempt in SRP 6 SRP can be incorporated into Krb v5 as a pre- authentication mechanism

12 Getting the Tickets kinit –forwards request for TGT to KDC KDC encrypts TGT with pswrd and sends back kinit has following options - l(lifetime) - f(forwardable tickets) -r(renewable life)

13 Listing the Tickets klist – lists the tickets of the authenticated user. output of an unsuccessful authentication is: klist: No credentials cache file found (ticket cache /tmp/krb5cc_1234)

14 Contd.. klist provides: – Information of all tickets – Expiration time of each ticket – Flags that apply to the ticket Example: Ticket cache: /tmp/krb5cc_1234 Valid starting Expires 29 Jul 98 11:25:47 30 Jul 98 12:25:42

15 Changing Kerberos Password Kpasswd is used for changing Kerberos passwords – kpasswd: Changing password – Old password: your_old_password – kpasswd:your_new_password – New password (again): your_new_password – Kerberos password changed

16

17

18

19 Immediate Tasks Ahead  Clock Synchronization  Setting the Master key

20 Clock Synchronization All clocks within the organization must be synchronized Very important – Protects against replay attack Possible solution: – Installing time server on one machine and having all clients synchronize their clocks with this machine

21 Setting the Master Key Database master key – protects from accidental disclosure Derived from pass phrase and stored in stash file Don’t back up stash file while making backups of database in a tape – Master key: Verifying password – Master key:

22 References http://en.wikipedia.org/wiki/Kerberos_(protocol) http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/wu.pdf

23 Thank You!

Download ppt "ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3."

Similar presentations

ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.

ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
COEN 350 Kerberos.

COEN 350 Kerberos.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
The Authentication Service ‘Kerberos’ and It’s Limitations

The Authentication Service ‘Kerberos’ and It’s Limitations
CS5204 – Operating Systems 1 A Private Key System KERBEROS.

CS5204 – Operating Systems 1 A Private Key System KERBEROS.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
KERBEROS www.unix.org.ua/orelly/networking/puis/ch19_06.htm.

KERBEROS
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

Similar presentations

Ads by Google