access control management poonam gupta sowmya sugumaran project group # 3
TRANSCRIPT
![Page 1: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/1.jpg)
ACCESS CONTROL MANAGEMENT
Poonam Gupta Sowmya Sugumaran
PROJECT GROUP # 3
![Page 2: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/2.jpg)
Overview
• Goal of the project• Project Progress• Closer look at the TGTs• Few security issues in Kerberos• Brief intro to Kerberos commands• Few screen shots• Immediate tasks ahead
![Page 3: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/3.jpg)
Goal of the Project
The goal of the project is to allow clients access the service servers in a secure and controlled manner using Kerberos
![Page 4: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/4.jpg)
Project Progress
Installed Kerberos version5Assigned password for pre-authentication
Working on incorporating SRP protocol in pre-authentication
![Page 5: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/5.jpg)
Closer look at the TGT
Version no:
Msg Type ID
Username Req. Ticket Instance
Kerberos Realm
Ts Req. Ticket Life-time
Req. Service
Req. ServiceInstance
1 byte 1 byte String String String 4 Bytes 1 byte String string
• TGT : Ticket-to-get-Ticket(between client and authentication server to get access to get access to Ticket Granting Server)
• There are 9 field in a TGT request
TGT Request Format
![Page 6: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/6.jpg)
Contd..
• The server can’t authenticate the TGT packet• An intruder can construct a similar looking
packet• It can be indistinguishable from the legitimate
packet
![Page 7: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/7.jpg)
Contd..
• Kerberos authenticates the client by sending back an encrypted packet
• The packet is encrypted using the key from the user’s password
• If the user enters the correct password upon logging in, the client can decrypt the packet to obtain the valid TGT
• Unauthorized users get random useless bits
![Page 8: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/8.jpg)
TGT Return Packet FormatSession key Service
NameInstance Realm TGT
life-time
Verno:
Encry.TicketLength
Encry.Ticket Block
Ts
8 bytes String String String 1 byte
1 byte
1 byte Field 7 4 bytes
• Ticket length and Ticket block are encrypted using the key derived from the user’s password.
![Page 9: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/9.jpg)
In Enemy Hands
• Prone to Dictionary Attack –Password cracker• Intruder sends a fake TGT request and saves
the encrypted TGT to a file• He then trial tests the password(P)
1. Convert P to DES key(K): K=string-to-key(P)2. Decrypt TGT with K and check if it is the valid
TGT3. If so, P is the user’s password
![Page 10: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/10.jpg)
Timestamp in Pre-authentication
• Including Ts during pre-authentication C S
C SDrawback:• Prevents an attacker from requesting TGT; but
does not prevent an eavesdropper from capturing Ek{Ts} or Ek{TGT}
R, Ek{Ts}
Ek{TGT}
![Page 11: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/11.jpg)
Solution: Stronger Cryptography
• A variant of public-key cryptography• Secure Remote Password(SRP)– Properties:
Resistant to dictionary attackSecure even if the password is of low entropyOnly one password can be guessed per attempt in SRP 6
• SRP can be incorporated into Krb v5 as a pre- authentication mechanism
![Page 12: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/12.jpg)
Getting the Tickets
• kinit –forwards request for TGT to KDC• KDC encrypts TGT with pswrd and sends back• kinit has following options - l(lifetime) - f(forwardable tickets) -r(renewable life)
![Page 13: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/13.jpg)
Listing the Tickets
• klist – lists the tickets of the authenticated user.
output of an unsuccessful authentication is: klist: No credentials cache file found (ticket cache /tmp/krb5cc_1234)
![Page 14: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/14.jpg)
Contd..
• klist provides:– Information of all tickets– Expiration time of each ticket– Flags that apply to the ticket
Example:Ticket cache: /tmp/krb5cc_1234Valid starting Expires 29 Jul 98 11:25:47 30 Jul 98 12:25:42
![Page 15: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/15.jpg)
Changing Kerberos Password
• Kpasswd is used for changing Kerberos passwords
– kpasswd: Changing password – Old password: your_old_password – kpasswd:your_new_password – New password (again): your_new_password– Kerberos password changed
![Page 16: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/16.jpg)
![Page 17: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/17.jpg)
![Page 18: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/18.jpg)
![Page 19: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/19.jpg)
Immediate Tasks Ahead
Clock Synchronization
Setting the Master key
![Page 20: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/20.jpg)
Clock Synchronization
• All clocks within the organization must be synchronized
• Very important – Protects against replay attack• Possible solution:– Installing time server on one machine and having
all clients synchronize their clocks with this machine
![Page 21: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/21.jpg)
Setting the Master Key
• Database master key – protects from accidental disclosure
• Derived from pass phrase and stored in stash file
• Don’t back up stash file while making backups of database in a tape– Master key:<enter pass phrase>
Verifying password – Master key:<enter pass phrase again>
![Page 22: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/22.jpg)
References• http://en.wikipedia.org/wiki/Kerberos_(protocol)• http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/wu.pdf
![Page 23: ACCESS CONTROL MANAGEMENT Poonam Gupta Sowmya Sugumaran PROJECT GROUP # 3](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649f1e5503460f94c360f7/html5/thumbnails/23.jpg)
Thank You!