Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
MyProxy: A Multi-Purpose Grid Authentication Service
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Lecture 23 Internet Authentication Applications
Chapter 9 Deploying IIS and Active Directory Certificate Services
Grid Security. Typical Grid Scenario Users Resources.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Building Global HEP Systems on Kerberos Matt Crawford Fermilab Computer Security.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Configuring Active Directory Certificate Services Lesson 13.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure Socket Layer (SSL)
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Unit 1: Protection and Security for Grid Computing Part 2
Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Module 9: Fundamentals of Securing Network Communication.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.
Computer and Network Security - Message Digests, Kerberos, PKI –
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Key management issues in PGP
Grid Security.
Cryptography and Network Security
Presentation transcript:

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab

Philosophy "Scientific thinking and invention flourish best where people are allowed to communicate as much as possible unhampered. ”  Enrico Fermi

Why Short-Lived Certificates? Intuition and measurement both tell us that a significant number of long-lived authentication secrets will be compromised. The frequency of this event is reduced if the secrets: are not stored on computers; are not transmitted on the network; can be held in organic memory. The impact of this event is reduced if: The owner of the secret can quickly and easily invalidate it and establish a new one.

Passwords vs. Private Keys Passwords are small secrets (most) users can remember. Private keys are sets of large integers which must be stored - usually in one or more online file systems. Passwords are easy to change, private keys difficult. On the other hand, passwords can sometimes be guessed - if an offline attack is possible. Private keys are seldom guessable.

KCA KCA = Kerberized Certificate Authority An online CA which is a Kerberos service. Client generates an RSA key pair, sends public key to KCA with authentication and integrity protection. KCA generates the Subject DN, other extensions, and signs a certificate. Valid until expiration time of Kerberos ticket. Client receives certificate, inserts it in the browser cache or Globus proxy file. Software originated at CITI, U of Michigan.

CA Considerations The KCA host must be as well protected as any comparable part of the authentication infrastructure - KDC, Domain Controller,... Since the CA private key is on-line, it should be short-lived* and easy to replace. * Short relative to some other CAs, not to the certificates it signs! Relying parties (Grid or SSL services) need the KCA public key on file, or another CA key which certifies the KCA. Certificate revocation: moot.

KCA - LDAP Connection The KCA accepts only the public key and Kerberos identity from a client. The Kerberos identity is algorithmically transformed into a UserID and an address, but the CommonName ("John Smith") is also wanted. The CommonName is obtained through a secure LDAP query to the Windows 2000 directory. All our Windows 2000 domain user accounts are synchronized with Kerberos v5 user principals.

KCA - DNS Connection KCA's client, "kx509,” locates the KCAs through DNS SRV records, based on the Kerberos realm name. This obviates any client configuration and achieves failover and load-balancing among redundant servers.

Uses - Grid Grid users can delegate proxy credentials from a KCA certificate in the usual way. As long as the Globus toolkit on a grid server can trace a path from a trusted root CA to a user's certificate or proxy, that server can verify a user's identity. Simplest deployment: store the KCA's self- signed certificate and signing policy on each server. More elegant deployment: KCA fit into a hierarchy of CA's

Uses - Web Windows client stores user certificate & private key in the registry for browser's use. *n*x client includes a Netscape cryptographic module which can access the certificate and private key stored among the tickets in the Kerberos credential cache. An SSL-enabled web server can securely determine the client's UserID, name, address and Kerberos principal name. Subject DN available to CGI, PHP, etc. Alternative to IP-based access control

Uses - Other The Nessus security scanner can act as a TLS-authenticated server. We provide servers inside and outside the site border and generate, for each registered sysadmin, a list of IP addresses they are responsible for and allowed to scan. On their own schedules, they authenticate through KCA/kx509, connect to the Nessus server with a GUI client, initiate scans, and receive the reports directly or return for them later.

Summary Deploying KCA has linked many TLS/SSL services into our sitewide authentication infrastructure. Either W2K or KRB5 is a sufficient base to allow deployment of this technology. Can serve both at once The security concerns of an online CA issuing short-lived certificates are no more severe than KDC, kaserver, W2K DC,... Short-lived certificates require less storage protection than long-lived ones, and fulfill all the most common user requirements.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.