Kerberos and PKI Cooperation

Similar documents
NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

Managing Credentials with

Network Security Protocols

Using the MyProxy Online Credential Repository

Simplifying Public Key Credential Management Through Online Certificate Authorities and PAM

Multi-mechanism Single Sign-On in Grids (CESNET Technical Report)

Agenda. How to configure

GSI Credential Management with MyProxy

Two SSO Architectures with a Single Set of Credentials

HP Access Control Smartcard Solution

Connecting Web and Kerberos Single Sign On

Public Key Infrastructure for a Higher Education Environment

Using Kerberos for Web Authentication. Wesley Craig University of Michigan

Standardizing PKI in Higher Education Apple PKI and Universal Hi-Ed Spec proposal

MS-55096: Securing Data on Microsoft SQL Server 2012

Kerberos and Active Directory symmetric cryptography in practice COSC412

Implementing a Kerberos Single Sign-on Infrastructure

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

Securing Data on Microsoft SQL Server 2012

Single Sign-On: Reviewing the Field

Kerberos and Single Sign-On with HTTP

Angel Dichev RIG, SAP Labs

Identity Management: The authentic & authoritative guide for the modern enterprise

Using PIV Smart Cards on Linux for Authentication to Windows Active Directory

OPC UA vs OPC Classic

Going in production Winbind in large AD domains today. Günther Deschner (Red Hat / Samba Team)

Secure Login Issues & Solutions

Kerberos-Based Authentication for OpenStack Cloud Infrastructure as a Service

Authentication Applications

PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc

MySQL Security: Best Practices

CS 4803 Computer and Network Security

Guide to SASL, GSSAPI & Kerberos v.6.0

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Entrust Managed Services PKI

Certificates in a Nutshell. Jens Jensen, STFC Leader of EUDAT AAI TF

Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at the University of Pennsylvania

IceWarp Server - SSO (Single Sign-On)

Lecture 10 - Authentication

Single-Sign-On in XtreemOS

W2K Integration in the Kerberos5 based AFS cell le.infn.it. Enrico M. V. Fasanelli I.N.F.N. Sezione di Lecce Catania,

NORWEGIAN UNIVERSITY OF SCIENCE AND TECHNOLOGY FACULTY OF INFORMATION TECHNOLOGY, MATHEMATICS AND ELECTRICAL ENGINEERING MASTER S THESIS

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

CAC AND KERBEROS FROM VISION TO REALITY

Single Sign-on (SSO) technologies for the Domino Web Server

Remote access. Contents

SYSTEM MODEL KERBEROS OBJECTIVES PHYSICAL SECURITY TRUST: CONSOLIDATED KERBEROS MODEL TRUST: BILATERAL RHOSTS MODEL

CSE331: Introduction to Networks and Security. Lecture 29 Fall 2006

Entrust IdentityGuard Comprehensive

Forward proxy server vs reverse proxy server

Multifactor Authentication Device

Security Policy Revision Date: 23 April 2009

Lecture 10 - Authentication

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

Kerberos and Single Sign On with HTTP

Kerberos authentication made easy on OpenVMS

Oracle Mobile Security Suite Workshop. Installation

Single Sign On for UNICORE command line clients

CAC/PIV PKI Solution Installation Survey & Checklist

Globus Toolkit: Authentication and Credential Translation

Secure Communication Requirements

Use Enterprise SSO as the Credential Server for Protected Sites

Secure Web Access Solution

Introduction to Computer Security

TIBCO Spotfire Platform IT Brief

EMC Documentum My Documentum for Microsoft SharePoint

ACE Management Server Deployment Guide VMware ACE 2.0

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

A Guide to New Features in Propalms OneGate 4.0

Configure the Application Server User Account on the Domain Server

Final Year Project Interim Report

Exam : Administrating Windows Server 2012 R2. Course Overview

Architecture of Enterprise Applications III Single Sign-On

Why it s Time to Make the Change Analysis of Current Technologies for Multi-Factor Authentication in Active Directory

Securing Administrator Access to Internal Windows Servers

Integration with Active Directory. Jeremy Allison Samba Team

Integrating EJBCA and OpenSSO

Factotum Sep. 23, 2013

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Kerberos on z/os. Active Directory On Windows Server William Mosley z/os NAS Development. December Interaction with.

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

YubiKey PIV Deployment Guide

GL550 - Enterprise Linux Security Administration

Module 1: e- Learning

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

ENTERPRISE LINUX SECURITY ADMINISTRATION

Direct Issuance of Proxy Certificate on P-GRADE Grid Portal Without Using MyProxy

Apache Milagro (incubating) An Introduction ApacheCon North America

Authentication Applications

Attestation and Authentication Protocols Using the TPM

Using sftp in Informatica PowerCenter

Juniper Networks Secure Access Kerberos Constrained Delegation

GRID COMPUTING Techniques and Applications BARRY WILKINSON

Evaluation of Certificate Revocation in Microsoft Information Rights Management v1.0

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Transcription:

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006

METACentre Project Czech nation-wide Grid activity Infrastructure for distributed and high performance computing Major computing centres in the country Security architecture based on Kerberos (Co)-Authored a few Kerberos solutions (SSH, Web authn) Partner of international Grid projects (EGEE2)

PKI Overview Asymmetric cryptography Each user has a key-pair consisting of a public and private key Private key kept secred, public key spread among other users Digital signatures Private key used to generate digital signatures Public key used to verify the signature Similarly encryption

PKI - CAs How to get a correct public key? Independent identity providers Certification authorities Digital certificates (X.509) Public key, key owner identity, validity, other auxiliary information signed by the CA key Only the CA key is distributed across the comunity Certificate revocation Building a trusted CA is a political and organizational problem not a technical issue

Kerberos vs. PKI Symmetric vs. asymmetric cryptography Performace Tickets vs. Certificates Similar concept Issued by identity providers Online KDC vs. offline CA Think of revocations (OCSP) Password vs. Private key Long-term private keys must be stored on disk, are maintaned by the user In real-word deployment many weakness in key management Revocation mechanism Not needed for Kerberos, can be source of troubles for PKI Scalability KDC must register every user Long-term digital signatures Email signing, encrypting is very common using PKI Message level security

Kerberos and PKI Combining PKI and Kerberos PKI is requested by large Grid projects We have never wanted to abandon Kerberos Credential conversions PKI to Kerberos Kerberos to PKI

PK-INIT IETF specification (draft) Adding public key based authentication to the AS_REQ/AS_REP messages Using pre-authentication mechanism PK-INIT only affects the initial authn step rest of the protocol is untouched (and transparent for the end services).

PK-INIT Protocol Client sends a public key (certificate) and signature KDC verifies the certificate (public key) and signature and check the request Public key must be bound to the client principal The KDC reply isn t encrypted with a principal key from the DB but with a new symmetric key The symmetric key is encrypted using the public key (or DH) The client verifies the reply, gets the key, decrypts the reply From this moment on the client proceeds as usual TGT can be used to ask other tickets

PK-INIT Implementation We implemented a first version the PK- INIT specs for Heimdal Accepted by Heimdal In production use in METACentre Support for Grid proxy certificates Integration with the user management system

PK-INIT and Smart Cards OpenSSL Engine Allows to use devices through #PKCS11 OpenSC framework ikey3000 USB token Combination of smart card and reader Currently distributing among users Works both on Unix and Windows

Smart Card Access kinit Heimdal libs OpenSSL Libs OpenSSL Engine PKCS11 Engine Module PKCS11 library configurable Token

Travelkits Unix Standard krb5 tools from the distribution PK-INIT enabled kinit command and auxiliary files (CA certificates) - rpm, deb MS Windows Standard Kerberos for Windows PK-INIT enabled kinit command etc. Part of Heimdal ported to Windows Kerberos enabled Putty and WinSCP clients

Kerberos to PKI Given a Kerberos ticket create a certificate and private key Easy access to the Grid, or other PKI based services (www) CA Creating certificates for Kerberos tickets Operating online Short-time certificates Private key can be unencrypted

Kerberos CA kca Used in the Grid community (Fermilab) kx509, kpkcs11 MyProxy Very common service in Grid world On-line credential repository Latest versions support also CA mode

MyProxy 1. Client generates a new key-pair 2. Sends a CSR to the MyProxy server Connection secured by Kerberos 3. MyProxy server returns a signed certificate Using LDAP to map Kerberos principal to subject name Lifetime is copied from the ticket 4. Client stores credential on disk Generated private key and received certificate

PKI to Kerberos Credentials are stored in Grid format Can be used by standard grid commands Other applications must be configured kpkcs11 library for PKCS11 aware apps Using the Windows certificate repository Conversions can be run transparently Login script on UI machines

Conclusions PKI and Kerberos can cooperate Multi-mechanim SSO possible

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information