1 / 20

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3). By: Poonam Gupta Sowmya Sugumaran. Kerberos Components. http://technet.microsoft.com/en-us/library/cc772815(WS.10).aspx. Getting the Tickets. kinit –forwards request for TGT to KDC

hester
Download Presentation

ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACCESS CONTROL MANAGEMENTProject Progress (as of March 3) By: Poonam Gupta Sowmya Sugumaran

  2. Kerberos Components http://technet.microsoft.com/en-us/library/cc772815(WS.10).aspx

  3. Getting the Tickets • kinit –forwards request for TGT to KDC • KDC encrypts TGT with pswrd and sends back • kinit has following options - l(lifetime) - f(forwardable tickets) -r(renewable life)

  4. Listing the Tickets • klist – lists the tickets of the authenticated user. Eg of the output of an unsuccessful authentication is: klist: No credentials cache file found (ticket cache /tmp/krb5cc_1234)

  5. Contd.. • klist provides: • Information of all tickets • Expiration time of each ticket • Flags that apply to the ticket Example: Ticket cache: /tmp/krb5cc_1234 Valid starting Expires 29 Jul 98 11:25:47 30 Jul 98 12:25:42

  6. Destroying the Tickets • Destroyed automatically on logging out • Destroying by hand: • Using kdestroy command Output generated by klist when all the tickets are destroyed: klist: No credentials cache file found

  7. Changing Kerberos Password • Kpasswd is used for changing Kerberos passwords • kpasswd: Changing password • Old password: your_old_password • kpasswd:your_new_password • New password (again): your_new_password • Kerberos password changed • password is controlled by the policy default, which requires a minimum of 6 characters from at least 2 classes (the five classes are lowercase, uppercase, numbers, punctuation, and all other characters).

  8. What is in a Ticket?

  9. What happens when tickets expire? • KDC doesn’t notify client when the ticket is about to expire • Tickets-for authenticating new connections • Ongoing operations are not interrupted Expired service ticket CLIENT SERVER Error message

  10. Renewable TGTs • Only session keys are refreshed, without issuing new tickets every time. • When Renewable policy is permitted, KDC sets a “Renewable” flag-R in the ticket. • Sets 2 expiration time • (i)limits life of current instance of ticket • (ii)limit on the cumulative lifetime of all instances

  11. KDC configuration RFC 1510 recommends the following values:

  12. The Authenticator • The client includes an authenticator whenever it sends ticket to the server(either TGS or service server) • Authenticator – verifies that the destination in the ticket is really the ticket’s source.

  13. Why is an Authenticator necessary • The server trusts the ticket-ticket is encrypted using server’s secret key • Server doubts about the sender • The ticket could be stolen and then sent by the imposter

  14. How does the Authenticator work • The authenticator is encrypted with the session key created by the KDC to be used between the client and the target server. Only the client and the target server can access the session key. • The target server uses its secret key to decrypt the ticket, finds the session key inside the ticket, and uses it to decrypt the authenticator. • If the target server can successfully decrypt the authenticator and if the authenticator's data is accurate, then the target server will trust the source of the ticket.

  15. Authenticator’s Timestamp • Important piece of data • Kerberos policy requires that authenticator’s timestamp be within minutes of the time on the server • This prevents replay attack

  16. Setting up KDC Hardware • KDC – holds database with passwords and all information • KDC must be as secure as possible: • Put the server machine into a physically secured location, to which only a very few people have access. • Do not run any network applications on it except the KDC. • It is probably a good approach to install a minimal system first then check the list of installed packages and remove any unneeded packages.

  17. Clock Synchronization • All clocks within the organization must be synchronized • Very important – Protects against replay attack • Possible solution: • Installing time server on one machine and having all clients synchronize their clocks with this machine

  18. Setting the Master Key • Database master key – protects from accidental disclosure • Derived from pass phrase and stored in stash file • Don’t back up stash file while making backups of database in a tape • Master key:<enter pass phrase> Verifying password – Master key:<enter pass phrase again>

  19. Thank You..!!

More Related