Post on 04-Jan-2016
ACCESS CONTROL MANAGEMENT
Poonam Gupta Sowmya Sugumaran
PROJECT GROUP # 3
Overview
• Goal of the project• Project Progress• Closer look at the TGTs• Few security issues in Kerberos• Brief intro to Kerberos commands• Few screen shots• Immediate tasks ahead
Goal of the Project
The goal of the project is to allow clients access the service servers in a secure and controlled manner using Kerberos
Project Progress
Installed Kerberos version5Assigned password for pre-authentication
Working on incorporating SRP protocol in pre-authentication
Closer look at the TGT
Version no:
Msg Type ID
Username Req. Ticket Instance
Kerberos Realm
Ts Req. Ticket Life-time
Req. Service
Req. ServiceInstance
1 byte 1 byte String String String 4 Bytes 1 byte String string
• TGT : Ticket-to-get-Ticket(between client and authentication server to get access to get access to Ticket Granting Server)
• There are 9 field in a TGT request
TGT Request Format
Contd..
• The server can’t authenticate the TGT packet• An intruder can construct a similar looking
packet• It can be indistinguishable from the legitimate
packet
Contd..
• Kerberos authenticates the client by sending back an encrypted packet
• The packet is encrypted using the key from the user’s password
• If the user enters the correct password upon logging in, the client can decrypt the packet to obtain the valid TGT
• Unauthorized users get random useless bits
TGT Return Packet FormatSession key Service
NameInstance Realm TGT
life-time
Verno:
Encry.TicketLength
Encry.Ticket Block
Ts
8 bytes String String String 1 byte
1 byte
1 byte Field 7 4 bytes
• Ticket length and Ticket block are encrypted using the key derived from the user’s password.
In Enemy Hands
• Prone to Dictionary Attack –Password cracker• Intruder sends a fake TGT request and saves
the encrypted TGT to a file• He then trial tests the password(P)
1. Convert P to DES key(K): K=string-to-key(P)2. Decrypt TGT with K and check if it is the valid
TGT3. If so, P is the user’s password
Timestamp in Pre-authentication
• Including Ts during pre-authentication C S
C SDrawback:• Prevents an attacker from requesting TGT; but
does not prevent an eavesdropper from capturing Ek{Ts} or Ek{TGT}
R, Ek{Ts}
Ek{TGT}
Solution: Stronger Cryptography
• A variant of public-key cryptography• Secure Remote Password(SRP)– Properties:
Resistant to dictionary attackSecure even if the password is of low entropyOnly one password can be guessed per attempt in SRP 6
• SRP can be incorporated into Krb v5 as a pre- authentication mechanism
Getting the Tickets
• kinit –forwards request for TGT to KDC• KDC encrypts TGT with pswrd and sends back• kinit has following options - l(lifetime) - f(forwardable tickets) -r(renewable life)
Listing the Tickets
• klist – lists the tickets of the authenticated user.
output of an unsuccessful authentication is: klist: No credentials cache file found (ticket cache /tmp/krb5cc_1234)
Contd..
• klist provides:– Information of all tickets– Expiration time of each ticket– Flags that apply to the ticket
Example:Ticket cache: /tmp/krb5cc_1234Valid starting Expires 29 Jul 98 11:25:47 30 Jul 98 12:25:42
Changing Kerberos Password
• Kpasswd is used for changing Kerberos passwords
– kpasswd: Changing password – Old password: your_old_password – kpasswd:your_new_password – New password (again): your_new_password– Kerberos password changed
Immediate Tasks Ahead
Clock Synchronization
Setting the Master key
Clock Synchronization
• All clocks within the organization must be synchronized
• Very important – Protects against replay attack• Possible solution:– Installing time server on one machine and having
all clients synchronize their clocks with this machine
Setting the Master Key
• Database master key – protects from accidental disclosure
• Derived from pass phrase and stored in stash file
• Don’t back up stash file while making backups of database in a tape– Master key:<enter pass phrase>
Verifying password – Master key:<enter pass phrase again>
References• http://en.wikipedia.org/wiki/Kerberos_(protocol)• http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/wu.pdf
Thank You!