Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

ppt.2

advertisement 
ACCESS CONTROL MANAGEMENT
Project Progress (as of March 3)
By: Poonam Gupta
Sowmya Sugumaran
Kerberos Components
http://technet.microsoft.com/en-us/library/cc772815(WS.10).aspx
Getting the Tickets
• kinit –forwards request for TGT to KDC
• KDC encrypts TGT with pswrd and sends back
• kinit has following options
- l(lifetime)
- f(forwardable tickets)
-r(renewable life)
Listing the Tickets
• klist – lists the tickets of the authenticated
user.
Eg of the output of an unsuccessful
authentication is:
klist: No credentials cache file found (ticket
cache /tmp/krb5cc_1234)
Contd..
• klist provides:
– Information of all tickets
– Expiration time of each ticket
– Flags that apply to the ticket
Example:
Ticket cache: /tmp/krb5cc_1234
Valid starting
Expires
29 Jul 98 11:25:47
30 Jul 98 12:25:42
Destroying the Tickets
• Destroyed automatically on logging out
• Destroying by hand:
– Using kdestroy command
Output generated by klist when all the tickets are
destroyed:
klist: No credentials cache file found
Changing Kerberos Password
• Kpasswd is used for changing Kerberos passwords
–
–
–
–
–
kpasswd: Changing password
Old password: your_old_password
kpasswd:your_new_password
New password (again): your_new_password
Kerberos password changed
• password is controlled by the policy default, which
requires a minimum of 6 characters from at least 2
classes (the five classes are lowercase, uppercase,
numbers, punctuation, and all other characters).
What is in a Ticket?
Field Name
Description
Ticket version number
5
Realm
Domain that issued ticket(mostly server’s)
Server Name
Name of the server
Flags
Options that specify how & when to issue
Key
Client-Server session key
Client Realm
Requestor’s domain name
Client Name
Requestor’s name
Authentication Time
Initial authentication time
Start time
Time after which ticket is valid
End time
Ticket’s expiration time
Renewal Till
Max end time that can be set with flag
Client Address
1 or more addresses
Authorization Data
Contains access restrictions
What happens when tickets expire?
• KDC doesn’t notify client when the ticket is about
to expire
Expired service
ticket
CLIENT
SERVER
Error message
• Tickets-for authenticating new connections
• Ongoing operations are not interrupted
Renewable TGTs
• Only session keys are refreshed, without
issuing new tickets every time.
• When Renewable policy is permitted, KDC sets
a “Renewable” flag-R in the ticket.
• Sets 2 expiration time
– (i)limits life of current instance of ticket
– (ii)limit on the cumulative lifetime of all instances
KDC configuration
RFC 1510 recommends the following values:
Configuration Element
RFC 1510
Recommendation
Active Directory Domain
Default Setting
Maximum ticket
lifetime
One day
600 minutes (10 hours)
Maximum renewable
lifetime
One week
Seven days
The Authenticator
• The client includes an authenticator whenever
it sends ticket to the server(either TGS or
service server)
• Authenticator – verifies that the destination in
the ticket is really the ticket’s source.
Why is an Authenticator necessary
• The server trusts the ticket-ticket is encrypted
using server’s secret key
• Server doubts about the sender
• The ticket could be stolen and then sent by
the imposter
How does the Authenticator work
• The authenticator is encrypted with the session key created by the
KDC to be used between the client and the target server. Only the
client and the target server can access the session key.
• The target server uses its secret key to decrypt the ticket, finds the
session key inside the ticket, and uses it to decrypt the
authenticator.
• If the target server can successfully decrypt the authenticator and if
the authenticator's data is accurate, then the target server will trust
the source of the ticket.
Authenticator’s Timestamp
• Important piece of data
• Kerberos policy requires that authenticator’s
timestamp be within minutes of the time on
the server
• This prevents replay attack
Setting up KDC Hardware
• KDC – holds database with passwords and all
information
• KDC must be as secure as possible:
– Put the server machine into a physically secured
location, to which only a very few people have access.
– Do not run any network applications on it except the
KDC.
– It is probably a good approach to install a minimal
system first then check the list of installed packages
and remove any unneeded packages.
Clock Synchronization
• All clocks within the organization must be
synchronized
• Very important – Protects against replay
attack
• Possible solution:
– Installing time server on one machine and having
all clients synchronize their clocks with this
machine
Setting the Master Key
• Database master key – protects from
accidental disclosure
• Derived from pass phrase and stored in stash
file
• Don’t back up stash file while making backups
of database in a tape
– Master key:<enter pass phrase>
Verifying password –
Master key:<enter pass phrase again>
Thank You..!!
Related documents
Keith surveyed the third grade to find out which pet is most popular
Keith surveyed the third grade to find out which pet is most popular
Travel Training - Communication Prompt Flash Cards
Travel Training - Communication Prompt Flash Cards
Algebra II – 212 Midterm Review Challenge!
Algebra II – 212 Midterm Review Challenge!
Download
advertisement