Presentation is loading. Please wait.

Presentation is loading. Please wait.

> Nicolas FISCHBACH Senior IP&Security Engineer - Professional Services Team - > Sébastien LACOSTE-SERIS.

Published byCitlali Soller Modified over 10 years ago

Similar presentations

Presentation on theme: "> Nicolas FISCHBACH Senior IP&Security Engineer - Professional Services Team - > Sébastien LACOSTE-SERIS."— Presentation transcript:

1 > Nicolas FISCHBACH Senior IP&Security Engineer - Professional Services Team nico@securite.org - http://www.securite.org/nico/ > Sébastien LACOSTE-SERIS Security Officer - IP Research & Development Manager kaneda@securite.org - http://www.securite.org/kaneda/ version 1.2 Kerberos in an ISP environment UNIX/Win2K/Cisco

2 Agenda Kerberos > Introduction : why did we choose Kerberos ? > Protocol and Exchanges > Attacks Deployment > UNIX > Cisco Routers and Switches > Win2K Q&A © 2001 Sécurité.Org

3 What is Kerberos ? Kerberos is a network authentication protocol/system Uses time synchronization to : > limit the use of the keys > help in detecting replay attacks Mutual authentication Uses DES, 3DES and shared keys Trusted third party © 2001 Sécurité.Org

4 What is Kerberos not ? Kerberos does not provide authorization only authentication Kerberos does not provide data encryption © 2001 Sécurité.Org

5 Why use Kerberos ? Secure authentication (cryptography) No password transmission Single Sign On > SSO is bad for security (Bruce Schneier) Centralized authentication management IETF Standard (RFC 1510) © 2001 Sécurité.Org

6 Kerberos vocabulary (1) KDC : Key Distribution Center. Holds a database of clients and servers (called principals) and their private keys principal : three-tuple > user : login/group@REALM > service : service/host.fqdn@REALM primary : username or service name instance : qualifies the primary (role) realm : authentication domain © 2001 Sécurité.Org

7 Kerberos vocabulary (2) keytab : file containing one or more keys (for hosts or services). Also known as SRVTAB (Cisco). client : an entity that can obtain a ticket (user or host) service : host, ftp, krbtgt, pop, etc. ticket : credentials (identity of a client for a particular service) TGT : ticket issued by the AS. Allows the client to obtain additional tickets for the same realm. © 2001 Sécurité.Org

8 Key Distribution Center Responsible for maintaining master keys for all principles and issuing Kerberos tickets Authentication Service (AS) gives the client a session key and a Ticket Granting Ticket (TGT) Distributes service session keys and ticket for the service via a Ticket Granting Service (TGS) © 2001 Sécurité.Org

9 Realms A Realm is an authentication domain > one Kerberos database and a set of KDCs Hierarchical organization (new in v5) One or two way authentication Cross-realm authentication > transitive cross-realm > direct between realms © 2001 Sécurité.Org

10 Kerberos Protocol (1) Kerberos Ticket © 2001 Sécurité.Org Domain Principal Name Ticket Flags Encryption Key Domain Principal Name Start Time End Time Host Address Authorization Data Encrypted

11 Kerberos Protocol (2) Kerberos Ticket Exchanges Ports : kinit: 88/udp kpasswd (Unix):749/tdp kpasswd (Win): 464/{tcp,udp} © 2001 Sécurité.Org Key Distribution Center Authentication Service Ticket Granting Service User Network Service

12 Kerberos Protocol (3) Getting a Ticket Granting Ticket (1+2) > (1) TGT Request > (2) TGT (to be decrypted with the users password hash) © 2001 Sécurité.Org Client KDC TGT Request (1) TGT (2)

13 Kerberos Protocol (4) Getting and using a Service Ticket (3+4+5) > (3) ST Request (with a TGT) > (4) ST and session key > (5) ST for authentication © 2001 Sécurité.Org Client KDC Server ST Request (3) ST and SK (4) ST (5)

14 NAT issues Host address is included in the tickets (recommended) Need to add NATed IP address in the ticket Patch for MIT Kerberos 5.1 Create TGT without address (not recommended) : kinit -A © 2001 Sécurité.Org

15 Attacks against Kerberos (1) Vulnerability in Kerberos password authentication via KDC AS spoofing : keytab file and register principals for the service (http://www.monkey.org/~dugsong/kdcspoof.tar.gz) Replay attacks : detected (C+S are time synchronized) Exposed keys : keys have a limited lifetime but are multi-session keys Temporary file vulnerability : run krb5-1.2.1+ © 2001 Sécurité.Org

16 Attacks against Kerberos (2) Passwords guessing : use a good passphrase Trojaned clients : OTP Implicit trust between realms Ticket forwarding Others : KDC, shared workstations,... © 2001 Sécurité.Org

17 *NIX clients RedHat (6.2 and 7) provides Kerberos V support > Install patch RHSA-2001:025-14 OpenBSD and Solaris 2.8 now support Kerberos V Solaris < 2.8 only provides Kerberos IV © 2001 Sécurité.Org

18 Kerberos V on *NIX clients (1) Authentication managed by Kerberos API Authorizations defined in user files : ~/.k5login - defines the principal(s) who can login into account that account ~/.k5users - defines commands that can be launched via ksu (sudo like) PAM alternatives © 2001 Sécurité.Org

19 Kerberos V on *NIX clients (2) Kerberized Telnet : available Kerberized SSH : > SSH.Coms SSH 1.2.x and 2.x support Kerberos V > Kerberos V Patches available for OpenSSH : http://www.sxw.org.uk/computing/patches/ > OpenSSH 2.5.2 w/ Kerberos V on RedHat 7.1 © 2001 Sécurité.Org

20 Kerberos V on Cisco equipment (1) Cisco Routers > Kerberized Telnet > Password authentication using Kerberos (telnet, SSH and console) > Can map instance to Cisco privilege (locally defined) Cisco Switches > Telnet only (SSH available as of 6.1 but w/o Kerberos support) © 2001 Sécurité.Org

21 Kerberos V on Cisco equipment (2) IOS & memory issues on routers : > Feature name : Kerberos V client support > Needed Feature set : at least Enterprise > Not supported on all hardware, for example : - Cisco 16xx router - Cisco GSR (12xxx - Gigabit Switch Router) > Memory requirements : Hint: always check with the Cisco IOS Feature Navigator © 2001 Sécurité.Org

22 Kerberos V on Cisco equipment (3) Router Configuration : aaa authentication login default krb5-telnet local aaa authorization exec default krb5-instance kerberos local-realm COLT.CH kerberos srvtab entry host/bgp1.colt.ch@COLT.CH...bgp1.colt.ch@COLT.CH kerberos server COLT.CH 192.168.0.14 kerberos instance map engineering 15 kerberos instance map support 3 kerberos credentials forward line vty 0 4 ntp server 192.168.0.126 © 2001 Sécurité.Org

23 Kerberos V on Cisco equipment (4) CatOS & memory issues on switches : > At least Supervisor Engine Software Release 5.x > Only supported on Catalyst 4000, 5000 and 6000/6500 > Only supported on SE I (not SE II) on Cat6K > Memory requirements : Hint: always check the Release Notes © 2001 Sécurité.Org

24 Kerberos V on Cisco equipment (5) Switch Configuration : #kerberos set kerberos local-realm COLT.CH set kerberos clients mandatory set kerberos credentials forward set kerberos server COLT.CH 192.168.0.82 88 set kerberos srvtab entry host/sw1.colt.ch@COLT.CH...sw1.colt.ch@COLT.CH #authentication set authentication login kerberos enable telnet primary set authentication enable kerberos enable telnet primary #ntp set ntp client enable set ntp server 192.168.0.11 © 2001 Sécurité.Org

25 Kerberos V on Win2K stations (1) Provides Kerberos authentication for interactive logons The protocol is a Security Provider under the SPPI (Security Support Provider Interface) and is linked to the LSA (Local Security Authority) Ticket cache is provided by the LSA Telnetd supports Kerberos © 2001 Sécurité.Org

26 Kerberos V on Win2K stations (2) Support Tools Win2K station configuration : ksetup /setdomain COLT.CH ksetup /addkdc COLT.CH kdc.colt.ch ksetup /setmachpassword password ksetup /mapuser user@COLT.CH localuser ksetup /mapuser * * Windows Time Server (+ registry) No kerberized SSH, only a few (broken) telnet clients © 2001 Sécurité.Org

27 Thats all folks :-) Latest version Q&A © 2001 Sécurité.Org Picture: http://www.inforamp.net/~dredge/funkycomputercrowd.html

Download ppt "> Nicolas FISCHBACH Senior IP&Security Engineer - Professional Services Team - > Sébastien LACOSTE-SERIS."

Similar presentations

ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.

ISA 662 Internet Security Protocols Kerberos Prof. Ravi Sandhu.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.

Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller Massachusetts Institute of Technology.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.6 Kerberos.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Kerberos Mark Sidnam.

Kerberos Mark Sidnam.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –

Authentication Applications Kerberos And X.509. Kerberos Motivation –Secure against eavesdropping –Reliable – distributed architecture –Transparent –
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Authentication Applications

Authentication Applications
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.

IT 221: Introduction to Information Security Principles Lecture 8:Authentication Applications For Educational Purposes Only Revised: October 20, 2002.
Authentication Applications The Kerberos Protocol Standard

Authentication Applications The Kerberos Protocol Standard
SCSC 455 Computer Security

SCSC 455 Computer Security

Similar presentations

Ads by Google