kerberos and covert channels

KERBEROS &COVERT CHANNELS

©neo

TOPICS COVERED

• KERBEROS

What is Kerberos? How It Works? Applications of Kerberos

• COVERT CHANNELS

What are Covert Channels? How It Works? Example Conclusion

©neo

KERBEROS

©neo

WHAT IS KERBEROS?

• Kerberos is a secure method for authenticating a request for a service in a computer network.

• Kerberos was developed in the Athena Project at the Massachusetts Institute of Technology (MIT).

• Kerberos lets a user request an encrypted "ticket" from an authentication process that can then be used to request a particular service from a server.

• The user's password does not have to pass through the network.

©neo

Susan

KeyDistribution

Center

TicketGrantingService

Authen-TicationService

XYZ Service

Susan’sDesktop

Computer

Think “Kerberos Server” and don’t let yourself get mired in terminology.

©neo

Susan

KeyDistribution

Center



XYZ Service

Susan’sDesktop

Computer

Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc…)

©neo

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

“I’d like to be allowed to get tickets from the Ticket Granting Server, please.

©neo

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service“Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service.”

©neo

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



myPassword

XYZ Service

TGT

©neo

TGT

Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a shiny “Ticket-Granting Ticket”.

The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire “service tickets” for use with services requiring Kerberos authentication.

The TGT contains no password information.

©neo

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

“Let me prove I am Susan to XYZ Service.

Here’s a copy of my TGT!”

use XYZ

TGTTGT

©neo

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

TGT

Hey XYZ: Susan is Susan.

CONFIRMED: TGS

You’re Susan.Here, take this.

©neo

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

TGTHey XYZ:

Susan is Susan.CONFIRMED: TGS

I’m Susan. I’ll prove it. Here’s a copy of my legit

service ticket for XYZ.


CONFIRMED: TGS

©neo

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

TGTHey XYZ:



CONFIRMED: TGS

That’s Susan alright. Let me determine if she is authorized to

use me.

©neo

Authorization checks are performed by the XYZ service…

Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.

©neo

One remaining note:

Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable.

Until a ticket’s expiration, it may be used repeatedly.

©neo

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

TGTHey XYZ:


ME AGAIN! I’ll prove it. Here’s another copy of my legit service ticket for XYZ.


CONFIRMED: TGS

use XYZ

©neo

Susan’sDesktop

ComputerSusan

KeyDistribution

Center



XYZ Service

TGTHey XYZ:



CONFIRMED: TGS

That’s Susan… again. Let me determine if she is authorized to

use me.

©neo

•“A path of communication that was not designed to be used for communication.”

•Covert channels arise in many situations, particularly in network communications.

•Covert channels are virtually impossible to eliminate, and the emphasis is instead on limiting the capacity of such channels.

WHAT ARE COVERT CHANNELS ?

©neo

Suppose Alice has a TOP SECRET clearance while Bob only has a CONFIDENTIAL clearance. If the file space is shared by all users then Alice and Bob can agree that if Alice wants to send a 1 to Bob, she will create a file named, say, FileXYzW and if she wants to send a 0 she will not create such a file.

Bob can check to see whether file FileXYzW exists, and, if it does he knows Alice has sent him a 1, and if it does not, Alice has sent him a 0. In this way, a single bit of information has been passed through a covert channel, that is, through a means that was not intended for communication by the designers of the system.

FOR EXAMPLE

©neo

A single bit leaking from Alice to Bob is probably not a concern, but Alice could leak any amount of information by synchronizing with Bob.

For example, Alice and Bob could agree that Bob will check for the file FileXYzW once each minute. As before, if the file does not exist, Alice has sent 0, and, if it does exists, Alice has sent a 1.

In this way Alice can (slowly) leak TOP SECRET information to Bob. An printing queue can be similarly used as a covert channel.

©neo

COVERT CHANNELS

Three things are required for a covert channel to exist.

• First, the sender and receiver must have access to a shared resource. • Second, the sender must be able to vary some property of the shared resource that the receiver can observe.• Finally, the sender and receiver must be able to synchronize their communication.

It’s apparent that covert channels are extremely common.

Probably the only way to completely eliminate all covert channels is to eliminate all shared resources and all communication.

COVERT CHANNELS

©neo

kerberos and covert channels

Education

xyz serviceim susan

thats susan

tgtbecause susan

xyz service okay

legit service ticket

xyz servicerepresents

xyz serviceheres

xyz serviceme