vksf 423 system administration iii authentication kerberos
Post on 12-Jan-2016
222 Views
Preview:
TRANSCRIPT
VKSF 423 System Administration III
Authentication Kerberos
Announcements
Slight modification to the syllabus Office hours
Tuesday 10-12 Thursday 10-12, 2-3
Lab Three: Virtualized Storage Veritas Storage Central OpenAFS LVM or EVMS Dynamic Disks (MS DFS)
Syllabus Modifications
Old Component
Weight New Component
Due date
Labs 25% No change All sign offs and submission by the end of 10th week
Practical 25% No change Demonstrated before exam week begins
Group Presentation
10% In lab In lab approximately 5 minutes
Group Report
10% Site Book Due by end of 10th week
Homework 10% Group Evaluation
How did the individuals contribute to the completion of the labs
Final Exam 20% No change During the final exam period
Definitions
Identification- assertion of who you are
Authentication-process of proving one’s identity
Authorization-The privileges that accrue to an identity
Access control-Provide the correct services to the correct users
Two Types of Authentication
User authentication Machine to machine authentication
Cryptographic Other (weak)
Identification
Who are you? Who do you claim to be? Who are you acting as?
Authentication
Can you prove who you say you are?
How? Something you know
Passwords Something you are
Biometrics Something you have
Access tokens
Access Control
All of the above Allow the correct users
Into a system Access to appropriate resources
Disallow invalid users Entry to the systems Deny access to restricted resources
Something you KnowPasswords
Oxymoron: Large random string != easy to remember
Password design/assignment Multiple words/syllables Mixed case/digits/punctuation
Storage Weak/strong encryption
Users perceive the risks as minimal vs. need to get work done
Passwords
Myth: never write down a password Recovery Helps more complicated passwords Multiple passwords
Clues/questions One time passwords
Something you areBiometrics
Voice, retinal, DNA, body geometry, signature, finger prints
Hard to change Easy to forge
Something you haveAccess Tokens
Physical keys Smart cards Translators Problems
Stolen Duplicated Spoofed
Authentication Protocols
Cryptographic methods to authenticate over a network
Multiple vulnerabilities
Network Authentication Options
Do nothing- trust machine to prevent unauthorized user access (control physical access)
Require machine to prove identity to network, then trust machine to authenticate users and provide access control
Require identification and authentication at each resource
Authentication Requirements
Must be Secure A.k.a. secure enough to push hackers
elsewhere Must be reliable
Manageable level of false negatives and false positives
Transparent to users Scalable to enterprise networks
Simple Protocol
Bob enters password on client Client sends password to server Server looks up id and password in
database of ids and passwords If it matches, validation message
sent to client & Bob is in
Problems with simple scenario
Clear text password in database Clear text password in transfer Confirmation spoofing
Password Database
Hide Encrypt
Salt Multiple serial encryptions
Transfer
Hashing Encryption
Confirmation spoofing
Simple T/F Alternate hash of password/known
key Encryption
Improved Protocol: Challenge
Avoid clear text transfer of password Bob informs server of desire to
access Server offers a phrase to Bob Bob encrypts phrase with Bob’s
password and sends to server Server, who already knows Bob’s
password, also encrypts phrase with Bob’s password and compares
Problems with improved version
Server needs clear text copy of Bob’s password
Given enough instances of a login the original password could be determined
Use of a “Trusted Third Party”
The “Blind Date” protocol I don’t know Kathy She doesn’t know me We both know Loretta We both separately contact Loretta Loretta “vouches” for me to Kathy Loretta “vouches” for Kathy to me
Levels of Kerberos Protection
Authentication at initiation of network session, assume future messages from same address come from same machine
Authentication of each message, no encryption of message
Private messages-each message is authenticated and encrypted
Kerberos Modules
Applications library Encryption library Database library Database administration programs Administration server Authentication server Db propagation software User programs applications
Kerberos Misc.
Model based on Needham and Schroeder key distribution protocol
Encryption done with DES Extendable to DES Cypher Block Chaining
Database Contains one record/principal Record contains name, private key,
expiration date of principal Name- name.instance@realm
Kerberos
Ticket Used to securely pass the identity of the
person to whom the ticket was issued between the authentication server and the end server.
Authenticator Contains additional information which when
compared against the ticket proves that the client presenting the ticket is the same one to which the ticket was issued.
Kerberos
Keeps database of clients and private keys If client is user, key is encrypted
password Generates temporary private keys
(session keys) Session keys are given to two clients
to encrypt messages between them.
Kerberos Ticket
Ticket is good for a single server and a single client Contains name of the server Name of the client IP address of the client Timestamp Lifetime Random session key
Encrypted using the private key of the server for which the ticket will be used
May be used until lifetime expires
Kerberos Authenticator
Contains Name of the client Client’s IP address Client’s current time
Can only be used once, must be regenerated each time a client wants to use a service
Can be regenerated by the client (without going to the server)
Encrypted in the session key that is part of the ticket
Enhanced protocol: Kerberos
Bob asks K-server to access Mary’s server K-server checks to see if Bob has access
permissions K-server sends Bob a ticket and a
session key Bob uses session key to create an
authenticator to prove to Mary he is Bob Bob send ticket and authenticator to
Mary Mary checks both
Main Problem
Authentication of user or device given zero prior information
Does Kerberos do this?
top related