Mais conteúdo relacionado



  1. Network Security and Kerberos Project Team: Tweety Member: Arlene S. Yetnikoff
  2. Topics of Discussion  General Network Security  Introduction to Kerberos
  3. Network Objectives  Message received as sent  Delivery on time  Message protected as needed
  4. PREVIOUS Application System Software Access Access paths PRESENT Access here! Access here! Access here! Access here! Network Access here! Network Security: Challenges
  5. Network Risks  Integrity  completeness  accuracy  Confidentiality  authentication  authorization  Availability  Relevance  Infrastructure
  6. Authentication  Something you know  Something you have  Something you are
  7. Passwords  Can be made secure in a stand- alone environment  Subject to sniffing attacks when used over a network  Network password solutions often include encryption techniques
  8. Encryption Techniques  Symmetric - Secret Key: the same key for encryption and decryption. Tends to be fast and is good for data encryption. However, the key management issues associated with secret key can be significant. e.g. DES = Data Encryption Standard
  9. Encryption Techniques  Asymmetric - Public/Private Key: a publicly known key for encryption and a private key for decryption (or vice versa). Tends to be slow and is generally only useful for encrypting small amounts of data (such as passwords, PINs and symmetric keys.) e.g. RSA = Rivest, Shamir, Adleman PGP = Pretty Good Privacy (Phil Zimmerman)
  10. Decrypt User B’s Public Key User B’s Private Key Message Message Encrypted message User A User B Encrypt Public Key Encryption Only User B can read the message.
  11.  Anyone can read the message.  Non-repudiation - can only have come from User A. Decrypt User A’s Private Key User A’s Public Key Message or data Confirmed message or data Digital Signature User A User B Encrypt Digital signatures
  12. Kerberos - What Is It?  Authentication service developed by MIT to allow users and services to authenticate  Designed for client/server environments  Uses secret key cryptography - data encryption standard (DES)
  13. Why Is It Needed?  Authentication across a network to normal services sends clear-text passwords, capable of being discovered in a sniffing attack  Users are annoyed at having to type passwords in often  Services were developed, such as rlogin, rsh, IDENT which used “authentication by assertion”
  14. Kerberos Authentication  Kerberos Authentication server issues user a “ticket”  User requests a remote service  Remote service looks at ticket to verify who the user is
  15. Kerberos - How It Works  Both user and service must have “keys” registered with the Kerberos Authentication Server  User’s key is derived from a password he chooses
  16. Kerberos Session  kinit - call to initially set up ticket prompt for password  telnet - call to kerberized client
  17. Client Key Distribution Center Authentication Server Ticket Granting Server Request: User login name IP address Client kinit Auth info Service Client Auth info Auth info Kerberos key User key Server session key TGT key Service secret key
  18. Kerberos - How It Works Initialization  User requests a Kerberos “Ticket Granting Ticket” (TGT) by running kinit  kinit builds a request which has:  user login name  client machine IP address  name of ticket - here it is krbtgt, the Kerberos ticket-granting ticket  Kerberos looks in its database to see is user is allowed to request a TGT on this host
  19. Kerberos - How It Works Initialization  Kerberos sends user a message which contains two copies of the ticket:  One copy is encrypted with Kerberos’ secret key  One copy is in plain text Entire message is encrypted with user’s key  kinit client process receives message and decrypts it based on the password the user typed in
  20. Kerberos - How It Works Initialization  If the message decrypts correctly, kinit puts the TGT into /tmp/tktuid where uid is user’s user ID  kinit uses session key in the TGT to encrypt an “authenticator” consisting of principal name, IP address of client machine and current time
  21. Kerberos - How It Works Service Request  User requests service, telnet, for example  kerberized telnet client sends a request to Kerberos server containing the TGT stored in /tmp/tgtuid and the authenticator  Kerberos uses its secret key to decrypt the TGT, extracts the session key from the TGT and decrypts the authenticator
  22. Kerberos - How It Works Service Request  To validate the user:  Kerberos compares the contents of the authenticator to the contents of the TGT  Kerberos compares the expiration timestamp in the authenticator to the current time  Kerberos builds a session key for the telnet session, and makes two copies  one encrypted with TGT  one encrypted with telnetd’s key
  23. Kerberos - How It Works Service Request  Session key sent to user  telnet client uses the TGT key to decrypt the session key, and adds ticket to Kerberos ticket file  telnet client builds an authenticator for the ticket, encrypts it with the session key and sends ticket which was encrypted with telnetd key and authenticator to telnetd service
  24. Kerberos - How It Works Service Request  telnetd service decrypts ticket with its secret key to get the session key  telnetd service uses session key to decrypt authenticator  if information in ticket and authenticator agree, telnetd sends back a message to the user and the session begins
  25. Kerberos Limitations  Bad passwords are still subject to a dictionary attack  Kerberos V4 subject to cracker attack (worse than some standard Unix security)  Kerberos V5 subject to sniffer attack  Passwords still subject to host security  Trojan horses in Kerberos client software can divulge passwords
  26. Kerberos Limitations  Security over Kerberos database containing users’ and services’ encryption keys must be strictly enforced  Security over master Kerberos password must be kept
  27. Other Security Enhancements  One-time Passwords  Device - SecurID  List of passwords - SKey  Public-key Cryptography
  28. Today  Code available for free from MIT  Some vendor support:  Cygnus  OpenVision  DEC  IBM  Many Universities and some government institutions have implemented Kerberos  Not too many businesses have implemented it
  29. Benefits of Kerberos  No Clear Text Passwords Across Internet  Users Do Not Need to Enter Password Multiple Times
  30. Future  Kerberos will use public-key cryptography for the initial TGT request  Windows 2000 (formerly called NT 5.0) will have a Kerberos implementation
  31. References  The Moron's Guide to Kerberos, Version 1.2.2  Kerberos: An Authentication Service for Computer Networks  Kerberos References  RFC 1510

Notas do Editor

  1. 4
  2. 5
  3. 6
  4. 7
  5. 8
  6. 10
  7. 11