1 / 22

An Overview of the GSS-API and Kerberos

An Overview of the GSS-API and Kerberos. Bob Beach, Symbol Technologies Jesse Walker, Intel Corporation. Purpose. Provide the background to understand and evaluate the Symbol/Intel proposal to base 802.11 security services on the GSS-API. Agenda. What is the GSS-API? GSS-API Mechanisms.

inez-kirk
Download Presentation

An Overview of the GSS-API and Kerberos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies Jesse Walker, Intel Corporation Bob Beach and Jesse Walker

  2. Purpose • Provide the background to understand and evaluate the Symbol/Intel proposal to base 802.11 security services on the GSS-API Bob Beach and Jesse Walker

  3. Agenda • What is the GSS-API? • GSS-API Mechanisms Bob Beach and Jesse Walker

  4. What is the GSS-API? (1) • Generic Security Services Applications Programming Interface, defined by RFC 2743 • RFC 2744 gives standard ‘C’ bindings, RFC 2853 for Java bindings • but we will use it as an abstract service interface • The GSS-API interface is implemented by GSS-API mechanisms • each mechanism is a security system • interface is independent of mechanisms Bob Beach and Jesse Walker

  5. What is the GSS-API? (2) • Credentials Management • GSS_Acquire_cred, GSS_Release_cred, GSS_Add_cred, etc. • Context Management • GSS_Init_sec_context, GSS_Accept_sec_context, GSS_Delete_sec_context, GSS_Inquire_context, GSS_Context_time, etc. • Per-Message Calls • GSS_Wrap, GSS_Unwrap, etc. • Support Calls • GSS_Import_name, GSS_Export_name, GSS_Display_status, etc. Bob Beach and Jesse Walker

  6. The GSS-API Model • Step 1: Establish a security context • Step 2: Use established security context to secure message exchanges Bob Beach and Jesse Walker

  7. Authentication Token Peer ID + Continue GSS_Init_sec_context Authentication Token + OK GSS_Accept_sec_context OK GSS_Init_sec_context Establishing a Security Context Initiator Responder Bob Beach and Jesse Walker

  8. Data Data Wrapped Data GSS_Wrap GSS_Unwrap Using a Security Context Peer 1 Peer 2 Bob Beach and Jesse Walker

  9. Agenda • What is the GSS-API? • GSS-API Mechanisms Bob Beach and Jesse Walker

  10. Some GSS-API Mechanisms • SPNEGO (RFC 2478) - negotiate the other mechanisms • Kerberos (RFC 1510, RFC 1964) - centralized key server based on shared secrets • SPKM (RFC 2025) - 1- and 2-way public key based authentication • LIPKEY (RFC 2847) - one-way authentication a la SSL; a species of SPKM • SRP (draft-ietf-cat-srpgm-xx.txt) - secure remote password; a species of SPKM • SASL (draft-ietf-cat-sasl-gssapi-xx.txt) - one time password • PKINIT (draft-ietf-cat-kerberos-pk-init-xx.txt) - use public key to register secret with Kerberos KDC Bob Beach and Jesse Walker

  11. Kerberos, SRP, SPKM + Continue GSS_Init_sec_context Kerberos + OK GSS_Accept_sec_context OK GSS_Init_sec_context SPNEGO Initiator Responder Bob Beach and Jesse Walker

  12. What is Kerberos? • Authentication and Key Distribution Protocol • Developed in late 1980s, latest version is Rev 5 • RFC 1510; RFC 1964 fits it into GSS-API framework • Default authentication protocol in Windows 2000 Domain Login • Widely deployed in UNIX shops Bob Beach and Jesse Walker

  13. How does Kerberos work? • Three major elements: • Principal: a user or system (username, password) • Services (FTP, email, telnet, RF services) • Key Distribution Center - maps principals to keys • Three step model: • user mutually authenticates with KDC (KRB_AP_REQ/KRB_AP_REP exchange) • KDC issues user authorization to access a service (KRB_TGT_REQ/KRB_TGT_REP exchange) • user gains access to service by presenting authorization Bob Beach and Jesse Walker

  14. User Authentication • KRB_AP_REQ message asks the KDC for access to the Ticket Granting Service • KDC creates a unique authentication key for authenticating self with Ticket Granting Service, encrypts it under the user’s password, and sends it back to the user in the KRB_AP_REQ message • The user decrypts the message and gains access to the authentication key. • Password is never sent over the airwaves Bob Beach and Jesse Walker

  15. Issuing Authorization • KRB_TGT_REQ asks for authorization to a particular service • message is protected with authentication key returned by KDC in KRB_AP_REP message • KDC decrypts message and examines request. • If request is OK, KDC creates a session key to be use between the user and the service. • KRB_TGT_REP from KDC contains two copies of the session key, one encrypted under user’s authentication key, and other under service’s Bob Beach and Jesse Walker

  16. Gaining Access to the Service • User decrypts the KRB_TGT_REP message to get session key and a “ticket” for the server • User prepares and sends token to server containing “ticket”, other info, encrypted under session key • Service decrypts “ticket” using its own authentication key received from KDC and gains access to session key • Decrypts rest of request and processes request • Service sends reply to user to authenticate Bob Beach and Jesse Walker

  17. KRB_TGT_REQ KRB_AP_REQ GSS_Init_sec_context Ticket, Authenticator KRB_AP_REP KRB_TGT_REP Authenticator + Continue GSS_Accept_sec_context + OK GSS_Init_sec_context OK Kerberos as used by GSS-API KDC Initiator Responder Bob Beach and Jesse Walker

  18. KRB_TGT_REQ GSS_Init_sec_context Ticket, Authenticator KRB_TGT_REP Authenticator + Continue GSS_Accept_sec_context + OK GSS_Init_sec_context OK PKINIT + Kerberos KDC Initiator Responder Bob Beach and Jesse Walker

  19. GSS_Init_sec_context SPKM parameters, n Crypt(K) + Continue Sig, SigCert, CryptCert GSS_Accept_sec_context + Continue GSS_Init_sec_context + OK GSS_Accept_sec_context OK SPKM Initiator Responder Bob Beach and Jesse Walker

  20. GSS_Init_sec_context username, ga Hash1(K) + Continue Hash2(K) gb + x, s, n GSS_Accept_sec_context + Continue K = gabxnb GSS_Init_sec_context K = ((gb + x) - x)(a+nh(s, password) + Continue GSS_Accept_sec_context + OK GSS_Init_sec_context OK SRP Initiator Responder database: username, x = gh(s,password), s Bob Beach and Jesse Walker

  21. Conclusions • GSS-API is • simple, well-defined interface • widely deployed and well-tested • Kerberos is • simple to implement • a GSS-API mechanism providing mutual authentication and key distribution • widely deployed and well-tested Bob Beach and Jesse Walker

  22. Feedback? Bob Beach and Jesse Walker

More Related