Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Self Imposed Limitations of Kerberos Douglas E. Engert Argonne National Laboratory 08/04/04 COPYRIGHT STATUS: Documents authored by.

Published byBrianne Cooper Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Self Imposed Limitations of Kerberos Douglas E. Engert Argonne National Laboratory 08/04/04 COPYRIGHT STATUS: Documents authored by."— Presentation transcript:

1 1 Self Imposed Limitations of Kerberos Douglas E. Engert DEEngert@anl.gov Argonne National Laboratory 08/04/04 COPYRIGHT STATUS: Documents authored by Argonne National Laboratory employees are the result of work under U.S. Government contract W-31-109-ENG-38 and are therefore subject to the following license: The Government is granted for itself and others acting on its behalf a paid-up, nonexclusive, irrevocable worldwide license in these documents to reproduce, prepare derivative works, and perform publicly and display publicly by or on behalf of the Government.

2 2 Outsiders views n Kerberos has been too successful n Thousands of users in a realm n Hundreds of hosts in realm n What is the extended trust model n Once ticket is obtained or forwarded, if stolen it can compromise all the systems a user can access n Kerberos won’t work well across institutions

3 3 Trust n Trust in user’s workstation is low n Trust = 1/(Number of host) * 1/(Number of sites) * 1/(Diversity of security) * 1/(Number of users)

4 4 Why Kerberos is Limited n Single sign-on – Total reliance on user’s workstation n Delegated (forwarded) tickets as good as original èNo control by user of the use of delegated tickets èNo trace of hosts involved in delegation èNo good bindings to host on which it can be used »Channel bindings to IP in all but useless n No black-listing of tickets by KDC, especially with cross realm

5 5 What to do about trust of users workstation? n Better maintenance n Restricted operating systems n Boot from CD n Dumb terminals n Hardware token/smartcard/PDA/… does Kerberos for workstation

6 6 What can be done about Delegated tickets n User sets restrictions when doing kinit/login èLimit use of delegated tickets by sites/hosts/services èFurther delegation may impose further restrictions èKDC or end service needs to check restrictions before issuing or using tickets n Trace of hosts/sites involved in delegation included in ticket è Used to detect/prevent unusual activity n Real time feedback to user about use of tickets, for logging, or even permission to use.

7 7 Black Listing Tickets n Once a TGT is issued, it can continue to be used. èPrincipals can be disabled so no new tickets issued. èKDC could refuse to issue additional tickets. n What about issued cross-realm TGTs èCan one KDC/admin notify other KDCs to black list cross-realm TGTs? èKeep a log of active cross-realm TGTs so other KDCs can be contacted ASAP?

8 8 Conclusion n The WG has been deeply involved with protocol issues, but has neglected the problems of being so successful. n I believe that these issues can all be addressed which will improve the trust in the use of the protocol, and lead to its wider deployment.

9 9 The End

Download ppt "1 Self Imposed Limitations of Kerberos Douglas E. Engert Argonne National Laboratory 08/04/04 COPYRIGHT STATUS: Documents authored by."

Similar presentations

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.
Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
HL7 CCOW Meeting, Sept. 2003 CCOW Support for Kerberos Problem Statement: Application is CCOW User Link-compliant and uses Kerberos to connect to back.

HL7 CCOW Meeting, Sept CCOW Support for Kerberos Problem Statement: Application is CCOW User Link-compliant and uses Kerberos to connect to back.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.

Winter 2006Prof. R. Aviv: Kerberos1 Kerberos Authentication Systems.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
Authentication & Kerberos

Authentication & Kerberos
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
By Frank Minichini IS 373 Kerberos. Introduction Kerberos is a network authentication protocol used to securely send and receive nodes in communication.

By Frank Minichini IS 373 Kerberos. Introduction Kerberos is a network authentication protocol used to securely send and receive nodes in communication.

Similar presentations

Ads by Google