SlideShare a Scribd company logo

Kerberos and its application in cross realm operations

Download as PPTX, PDF
Arunangshu Bhakta
Arunangshu Bhakta
Education
1 of 51
Kerberos and its Application in Cross-Realm Operations SECURITY PROTOCOLS GROUP-1
Contents • Basic Kerberos • Components • Protocol • Strengths • Weaknesses • Cross Realm Operations • Cross Realm Operations with Kerberos Based Authentication • Authentication Simplified • Scalability Issues • Improved Cross Realm Kerberos Authentication Protocols (XKDCP) • XTGSP • XASP • Shortcomings of XTGSP & XASP and their mitigation
Basic Kerberos Protocol
Introduction to Kerberos • Kerberos provides a way to authenticate clients to services to each other through a trusted third party. • Kerberos makes the assumption that the connection between a client and service is insecure. • Passwords are encrypted to prevent others from reading them. • Clients only have to authenticate once during a pre- defined lifetime.
Goals of Kerberos Protocol • Principals must not be able to impersonate other principals (i.e. principals must be authenticated) • The authentication secret (i.e. password) used by the principals must not be transmitted in clear text • It must not be necessary for all principals to be able to authenticate all other principals by themselves. • Principals should only need to authenticate themselves once (in the case of a user, this is typically when they logon to a workstation).
Kerberos Components • Principals • Realms • Key Distribution Centers (KDC’s) • Authentication Service • Ticket Granting Server • Credentials • Ticket • Ticket Granting Ticket • Service Ticket • Authenticator
Kerberos Principals Client Service Server KDC (Local/Foreign)
Kerberos Protocol Step5 Step6 Service Client Server
Kerberos Protocol Step 1: Client
Kerberos Protocol Step 2: Client
Kerberos Protocol Step 3: Client
Kerberos Protocol Step 4: Client
Kerberos Protocol Step 5: Service Server Client
Kerberos Protocol Step 6: Service Server Client
Strengths • Passwords are never sent across the network unencrypted. This prevents those unscrupulous people from being able to read the most important data sent over the network. • Clients and applications services mutually authenticate. Mutual authentication allows for both ends to know that they truly know whom they are communicating with. • Tickets have a limited lifetime, so if they are stolen, unauthorized use is limited to the time frame that the ticket is valid.
Strengths • Authentication through the AS only has to happen once. This makes the security of Kerberos more convenient. • Shared secret keys between clients and services are more efficient than public-keys. • Many implementations of Keberos have a large support base and have been put through serious testing. • Authenticators, created by clients, can only be used once. This feature prevents the use of stolen authenticators.
Weaknesses • Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms. • Kerberos has strict time requirements, which means the clocks of the involved hosts must be synchronized within configured limits. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. • Since all authentication is controlled by a centralized KDC, compromise of this authentication infrastructure will allow an attacker to impersonate any user.
Cross Realm Interaction
Multiple Realm Scenario • User in one realm (say DAIICT) may intend to use the services in another realm (say NIFT) • In such a case, how will the user (DAIICT student) authenticate himself to the foreign KDC (NIFT KDC) while sitting in DAIICT? • How will the user (DAIICT student) authenticate himself to the foreign KDC (NIFT KDC) while visiting NIFT? • But, user’s (DAIICT student) trustworthiness is known only to the local KDC (DAIICT KDC). Thus, only respective local KDC can authenticate the user. • Hence, there’s a need for Cross-Realm Authentication !!
• Main issues in existing cross-realm authentication frameworks: • User needs to authenticate itself every time he tries to access a different service • User has to manage a large number of accounts • Low Scalability These issues have been addressed by using Kerberos Based Authentication in Cross-Realm Interactions !!
Kerberos based Authentication for Cross Realm Interaction
Kerberos based Authentication for Cross Realm Interaction • Allow users of one realm to authenticate with services in other realms • One time authentication required • Implemented by sharing a “secret” that realizes the trust relationship between realms • Using the shared secret key, KDC’s can check the authenticity of cross-realm request coming from users of trusted realm and then can securely issue service tickets for them
Trust-Chain KDC-H KDC-I KDC-T 1) TGT-T? 2) TGT-I 5) ST-SRV? 6) ST-SRV Home Realm
Issues in Cross Realm Kerberos • Inter-realm trust management • KDCs can have a direct or indirect relationship with other KDCs. • In direct relationships, KDC of each realm must maintain keys with all foreign realms. • Difficult to maintain large number of keys. • Indirect trust relationship means that there is a 'chain of trust’ linking the two realms. • A chain of trust can be determined by DNS hierarchy or else manually (can become cumbersome).
Issues in Cross Realm Kerberos • Reliability- • If any of the realms in the authentication is not available, then the principals of the end-realms cannot perform cross-realm operations. • Client Centralised Exchanges- • Clients have to perform TGS exchanges with all the KDCs in the trust path. • When clients have limited computational capabilities, overhead of these cross-realm exchanges may grow into unacceptable delays.
Improved Cross-Realm Kerberos Protocol (XKDCP) INTER KEY DISTRIBUTION CENTRE PROTOCOL
XKDCP (Inter Key Distribution Centre Protocol) • The XKDCP extension allows the client to obtain the service ticket from any KDC for which she already has a TGT. • XKDCP is based on public-key certificates. XKDCP XTGSP XASP XTGSP: Allows users to obtain service tickets from a KDC even if the service is not registered in that KDC. XASP: Allows two Kerberos KDCs to collaborate in order to authenticate a roaming user and to deliver a TGT that can be used in the visited realm.
XTGSP INTER TICKET GRANTING SERVICE PROTOCOL
XTGSP • When a TGS can not process a request for a service ticket because the service's realm is different from the TGS's realm, then the XTGSP protocol can be used between the TGS of both realms to build the desired service ticket. • Allows users to obtain service tickets from a KDC even if the user is not registered in that KDC. • Used in remote access scenarios • a user has a TGT for a local KDC and wishes to access a service deployed in a remote realm.
3 Home KDC Foreign KDC AS TGS-H TGS-F AS 4 1 2 5 Service 6 User Home Realm Foreign Realm • Client does not need to contact the remote KDC at all in which the service is registered. • Local KDC will deliver the service ticket that can be used directly to authenticate with the remote service.
Home KDC Foreign KDC AS TGS-H TGS-F AS 1) AS exchange Service User Home Realm Foreign Realm 1) Normal AS Exchange • AS request: C->AS: Client Principal and Service Principal Name • AS response: AS->C :{TUser,TGS}KTGS, {KUser,TGS || …}KUser
Home KDC Foreign KDC AS TGS-H TGS-F AS 2) TGS_REQ Service User Home Realm Foreign Realm 2) TGS_REQ: User requests a ticket from the ticket-granting service (TGS) User TGS: {AUser, TGS}KUser,TGS, {TUser,TGS}KTGS, ||… where AUser,TGS= {User, timestamp, realm} Note: Additionally “Realm” field should be set to the foreign realm name where service is present.
3) XTGSP_REQ Home KDC Foreign KDC AS TGS-H TGS-F AS Service User Home Realm Foreign Realm 3) XTGSP_REQ • It is built from users TGS_REQ message. • Also includes a signed payload to authenticate home KDC. TGS-H->TGS-F: {TGS_REQ}sigKDCH, cert(KDC-H)
Home KDC Foreign KDC AS TGS-H TGS-F AS 4) XTGSP_REP Service User Home Realm Foreign Realm 4) XTGSP_REP • TGS-F authenticates the previous message by verifying the public key signature. • Issues a ticket and an associated session key. Ticket is encrypted by key shared between the server and the foreign KDC. TGS-F->TGS-H: {{Session Key}KKDC-H, {TUser,S}KS}sigKDC-F, cert(KDC-F)
Home KDC Foreign KDC AS TGS-H TGS-F AS 5) TGS_REP Service User Home Realm Foreign Realm 5) TGS_REP • TGS-H authenticates the previous message by verifying the public key signature. • Decrypts the session key and encrypts it with the key shared between the Home-KDC and the user. TGS-H->User:{Session Key}KKDC-H, User, Ticket
Home KDC Foreign KDC AS TGS-H TGS-F AS Service 6) AP exchange User Home Realm Foreign Realm 6) AP exchange • User sends the ticket to S along with an authenticator to authenticate and establish the shared secret User->S: {AUser,S}KUser,Service, {TUser,S}KS • S decrypts the first part and obtains TUser,S to know the session key KUser,S replies to user with proof of possession of the shared secret S->User: {timestamp+1}KUser,S
Drawback 3) XTGSP_REQ Home KDC Foreign KDC AS TGS-H TGS-F AS Service User Home Realm Foreign Realm XTGSP_REQ • The message sent by TGS-H are verified by TGS-F using public key certificates. • TGS-F is not capable enough to decide if the Home KDC should be offered the services or not.
Proposed Solution • TGS-F should maintain a table enlisting specifically that which service can be used by which KDC . • Whenever it receives a message from an entity not mentioned in the list, it should contact its AS for further verification. • It should reply back to the requesting KDC only if its reliability is approved by its AS.
XASP INTER AUTHENTICATION SERVICE PROTOCOL
XASP • Allows two Kerberos KDCs to collaborate in order to authenticate a roaming user and to deliver a TGT that can be used in the visited realm to obtain service tickets . • Used in situations where the home KDC (or the KDC for which the client has a TGT) is not reachable.
2 Home KDC Foreign KDC TGS AS-H AS-H TGS 3 1 4 5 Service 6 User Home Realm Foreign Realm When an AS can not process a AS_REQ message sent by the client because the client does not belong to the local realm, the XASP extension can be used between the visited AS and the home AS to build the required credentials (a TGT) for the roaming client.
Home KDC Foreign KDC TGS AS-H AS-F TGS 1) AS_REQ Service User Home Realm Foreign Realm 1) AS_REQ: • User  AS-F: Client Principal and Service Principal Name • The client must put her home realm name in the ‘realm’ field of the request. Note: Any user can probe a foreign realm and make the KDC of the foreign realm to authenticate itself as per the request.
2) XASP_REQ Home KDC Foreign KDC TGS AS-H AS-F TGS Service User Home Realm Foreign Realm 2) XASP_REQ: • If the realm name in the previous message doesn't match with its own realm name, AS-F locates the KDC that serves the client’s home realm (AS-H). • This request signed duly for authentication. AS-F->AS-H: {AS_REQ}sigKDCF, cert(KDC-F)
Home KDC Foreign KDC TGS AS-H AS-F TGS 3) XASP_REP Service User Home Realm Foreign Realm 3) XASP_REP: • Home KDC authenticates the previous message by verifying the signature using public key cryptography. • Creates a TGS session key encrypted by user’s secret key. • A copy of same TGS session key is encrypted using foreign KDC’s public key. • A signature is also included that authenticates itself to the foreign KDC. AS-H->AS-F: {{TGS_SK}Kuser, {TGS_SK}KKDCF}sigKDCH, cert(KDC-H)
Home KDC Foreign KDC TGS AS-H AS-F TGS 4) AS_REP Service User Home Realm Foreign Realm 4) AS_REP: • KDCF validates by verifying the signature. • Decrypts the TGS session key using its own private key, which is used to build a TGT for the roaming user. • TGS session key encrypted by user’s secret key and TGT are sent to user. AS-F->User: {TGS_SK}Kuser, {TUser,TGS}KTGS
Home KDC Foreign KDC TGS AS-H AS-F TGS 5) TGS Exchange Service User Home Realm Foreign Realm 5) TGS Exchange: • User requests a ticket from the ticket-granting service (TGS) User TGS: {AUser, TGS}KUser,TGS, {TUser,TGS}KTGS, ||… where AUser,TGS= {User, timestamp, realm} • TGS returns a ticket for User to talk to S TGS User: {TUser,S}KS, {KUser,S}KUser,TGS where TUser,S= {User, User-addr, lifetime, KUser,S}
Home KDC Foreign KDC TGS AS-H AS-F TGS 6) AP Service exchange User Home Realm Foreign Realm 6) AP exchange: • User sends the ticket to S along with an authenticator to authenticate and establish the shared secret User S: {AUser,S}KC,S, {TUser,S}KS where AUser,S= {User, timestamp} • S User: {timestamp+1}KUser,S
DoS Attack on Foreign KDC Home KDC Foreign KDC TGS AS-H AS-F TGS 1) AS_REQ Service User Home Realm Foreign Realm • Any User can probe a foreign realm and keep the KDC of the foreign realm busy to authenticate itself. • The KDC will therefore remain busy in authenticating the user and will not do any productive work. • Foreign KDC cant authenticate the client.
Proposed Solution • Public key certificates can also be used for clients. • Each time a client wants to contact the foreign KDC it will send the message along with its certificate. • The foreign KDC can keep a track of the messages sent by a particular user. • It can reject the messages if they exceed the threshold limit of a user.
References 1. Saber Zrelli, Tunc Medeni and Yoichi Shinoda, “Improving Kerberos Security System for Cross-Realm Collaborative Interactions: An Innovative Example of Knowledge Technology for Evolving & Verifiable E-Society”, 2007 2. http://tools.ietf.org/id/draft-ietf-cat-kerberos-pk-cross-08.txt 3. http://tools.ietf.org/html/draft-zrelli-krb-xkdcp-00 4. http://web.mit.edu/rhel-doc/5/RHEL-5- manual/Deployment_Guide-en-US/ch-kerberos.html
Group Members • Ravi Goyal (200901001) • Puneet Kala (200901008) • Arunangshu Bhakta (200901026) • Unique Jain (200901036) • Lalit Agarwal (200901159) • Taru Raaj Agarwal (200901167) • Drasti Shah (200901172)

Recommended

ORC File - Optimizing Your Big Data
ORC File - Optimizing Your Big DataORC File - Optimizing Your Big Data
ORC File - Optimizing Your Big DataDataWorks Summit
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
Hive 3 - a new horizon
Hive 3 - a new horizonHive 3 - a new horizon
Hive 3 - a new horizonThejas Nair
 
Connecting Your System to Globus (APS Workshop)
Connecting Your System to Globus (APS Workshop)Connecting Your System to Globus (APS Workshop)
Connecting Your System to Globus (APS Workshop)Globus
 
Apache Kafka Best Practices
Apache Kafka Best PracticesApache Kafka Best Practices
Apache Kafka Best PracticesDataWorks Summit/Hadoop Summit
 
Kafka and Avro with Confluent Schema Registry
Kafka and Avro with Confluent Schema RegistryKafka and Avro with Confluent Schema Registry
Kafka and Avro with Confluent Schema RegistryJean-Paul Azar
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Henning Jacobs
 

Recommended

ORC File - Optimizing Your Big Data
ORC File - Optimizing Your Big DataORC File - Optimizing Your Big Data
ORC File - Optimizing Your Big DataDataWorks Summit
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
Hive 3 - a new horizon
Hive 3 - a new horizonHive 3 - a new horizon
Hive 3 - a new horizonThejas Nair
 
Connecting Your System to Globus (APS Workshop)
Connecting Your System to Globus (APS Workshop)Connecting Your System to Globus (APS Workshop)
Connecting Your System to Globus (APS Workshop)Globus
 
Apache Kafka Best Practices
Apache Kafka Best PracticesApache Kafka Best Practices
Apache Kafka Best PracticesDataWorks Summit/Hadoop Summit
 
Kafka and Avro with Confluent Schema Registry
Kafka and Avro with Confluent Schema RegistryKafka and Avro with Confluent Schema Registry
Kafka and Avro with Confluent Schema RegistryJean-Paul Azar
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security ArchitectureOwen O'Malley
 
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...
Optimizing Kubernetes Resource Requests/Limits for Cost-Efficiency and Latenc...Henning Jacobs
 
HBase Storage Internals
HBase Storage InternalsHBase Storage Internals
HBase Storage InternalsDataWorks Summit
 
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...confluent
 
Building Event-Driven Systems with Apache Kafka
Building Event-Driven Systems with Apache KafkaBuilding Event-Driven Systems with Apache Kafka
Building Event-Driven Systems with Apache KafkaBrian Ritchie
 
What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...
What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...
What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...HostedbyConfluent
 
Node Labels in YARN
Node Labels in YARNNode Labels in YARN
Node Labels in YARNDataWorks Summit
 
HDFS Tiered Storage: Mounting Object Stores in HDFS
HDFS Tiered Storage: Mounting Object Stores in HDFSHDFS Tiered Storage: Mounting Object Stores in HDFS
HDFS Tiered Storage: Mounting Object Stores in HDFSDataWorks Summit/Hadoop Summit
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop securitybigdatagurus_meetup
 
Druid
DruidDruid
DruidDori Waldman
 
Ozone- Object store for Apache Hadoop
Ozone- Object store for Apache HadoopOzone- Object store for Apache Hadoop
Ozone- Object store for Apache HadoopHortonworks
 
Nginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptxNginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptxwonyong hwang
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & FeaturesDataStax Academy
 
Text tagging with finite state transducers
Text tagging with finite state transducersText tagging with finite state transducers
Text tagging with finite state transducerslucenerevolution
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 
Building an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarBuilding an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarScyllaDB
 
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...KCDItaly
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate ManagementAppViewX
 
Why your Spark job is failing
Why your Spark job is failingWhy your Spark job is failing
Why your Spark job is failingSandy Ryza
 
Apache Phoenix and HBase: Past, Present and Future of SQL over HBase
Apache Phoenix and HBase: Past, Present and Future of SQL over HBaseApache Phoenix and HBase: Past, Present and Future of SQL over HBase
Apache Phoenix and HBase: Past, Present and Future of SQL over HBaseDataWorks Summit/Hadoop Summit
 
HBase Low Latency
HBase Low LatencyHBase Low Latency
HBase Low LatencyDataWorks Summit
 
Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022
Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022
Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022HostedbyConfluent
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentationChris Geier
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication ProtocolBibek Subedi
 

More Related Content

What's hot

Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...confluent
 
Building Event-Driven Systems with Apache Kafka
Building Event-Driven Systems with Apache KafkaBuilding Event-Driven Systems with Apache Kafka
Building Event-Driven Systems with Apache KafkaBrian Ritchie
 
What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...
What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...
What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...HostedbyConfluent
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop securitybigdatagurus_meetup
 
Ozone- Object store for Apache Hadoop
Ozone- Object store for Apache HadoopOzone- Object store for Apache Hadoop
Ozone- Object store for Apache HadoopHortonworks
 
Nginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptxNginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptxwonyong hwang
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & FeaturesDataStax Academy
 
Text tagging with finite state transducers
Text tagging with finite state transducersText tagging with finite state transducers
Text tagging with finite state transducerslucenerevolution
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 
Building an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarBuilding an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarScyllaDB
 
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...KCDItaly
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate ManagementAppViewX
 
Why your Spark job is failing
Why your Spark job is failingWhy your Spark job is failing
Why your Spark job is failingSandy Ryza
 
Apache Phoenix and HBase: Past, Present and Future of SQL over HBase
Apache Phoenix and HBase: Past, Present and Future of SQL over HBaseApache Phoenix and HBase: Past, Present and Future of SQL over HBase
Apache Phoenix and HBase: Past, Present and Future of SQL over HBaseDataWorks Summit/Hadoop Summit
 
Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022
Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022
Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022HostedbyConfluent
 

What's hot (20)

HBase Storage Internals
HBase Storage InternalsHBase Storage Internals
HBase Storage Internals
 
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
 
Building Event-Driven Systems with Apache Kafka
Building Event-Driven Systems with Apache KafkaBuilding Event-Driven Systems with Apache Kafka
Building Event-Driven Systems with Apache Kafka
 
What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...
What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...
What is the State of my Kafka Streams Application? Unleashing Metrics. | Neil...
 
Node Labels in YARN
Node Labels in YARNNode Labels in YARN
Node Labels in YARN
 
HDFS Tiered Storage: Mounting Object Stores in HDFS
HDFS Tiered Storage: Mounting Object Stores in HDFSHDFS Tiered Storage: Mounting Object Stores in HDFS
HDFS Tiered Storage: Mounting Object Stores in HDFS
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop security
 
Druid
DruidDruid
Druid
 
Ozone- Object store for Apache Hadoop
Ozone- Object store for Apache HadoopOzone- Object store for Apache Hadoop
Ozone- Object store for Apache Hadoop
 
Nginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptxNginx Reverse Proxy with Kafka.pptx
Nginx Reverse Proxy with Kafka.pptx
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & Features
 
Text tagging with finite state transducers
Text tagging with finite state transducersText tagging with finite state transducers
Text tagging with finite state transducers
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
 
Building an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarBuilding an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache Pulsar
 
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
Multi-Clusters Made Easy with Liqo:
Getting Rid of Your Clusters Keeping Them...
 
Best Practices for Certificate Management
Best Practices for Certificate ManagementBest Practices for Certificate Management
Best Practices for Certificate Management
 
Why your Spark job is failing
Why your Spark job is failingWhy your Spark job is failing
Why your Spark job is failing
 
Apache Phoenix and HBase: Past, Present and Future of SQL over HBase
Apache Phoenix and HBase: Past, Present and Future of SQL over HBaseApache Phoenix and HBase: Past, Present and Future of SQL over HBase
Apache Phoenix and HBase: Past, Present and Future of SQL over HBase
 
HBase Low Latency
HBase Low LatencyHBase Low Latency
HBase Low Latency
 
Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022
Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022
Deep Dive Into Kafka Tiered Storage With Satish Duggana | Current 2022
 

Viewers also liked

Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentationChris Geier
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication ProtocolBibek Subedi
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication ApplicationVidulatiwari
 
Paralelismo en lenguajes de alto nivel
Paralelismo en lenguajes de alto nivelParalelismo en lenguajes de alto nivel
Paralelismo en lenguajes de alto nivelLuis Belloch Gómez
 
Ch03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardCh03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardtarekiceiuk
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and HadoopKai Zheng
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web securityrajakhurram
 
Chapter 3: Block Ciphers and the Data Encryption Standard
Chapter 3: Block Ciphers and the Data Encryption StandardChapter 3: Block Ciphers and the Data Encryption Standard
Chapter 3: Block Ciphers and the Data Encryption StandardShafaan Khaliq Bhatti
 
block ciphers
block ciphersblock ciphers
block ciphersAsad Ali
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 

Viewers also liked (19)

Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to Kerberos
 
Kerberos : An Authentication Application
Kerberos : An Authentication ApplicationKerberos : An Authentication Application
Kerberos : An Authentication Application
 
kerberos
kerberoskerberos
kerberos
 
Paralelismo en lenguajes de alto nivel
Paralelismo en lenguajes de alto nivelParalelismo en lenguajes de alto nivel
Paralelismo en lenguajes de alto nivel
 
Kerberos
KerberosKerberos
Kerberos
 
Ch03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standardCh03 block-cipher-and-data-encryption-standard
Ch03 block-cipher-and-data-encryption-standard
 
Block Cipher
Block CipherBlock Cipher
Block Cipher
 
Ch14
Ch14Ch14
Ch14
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and Hadoop
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Chapter 3: Block Ciphers and the Data Encryption Standard
Chapter 3: Block Ciphers and the Data Encryption StandardChapter 3: Block Ciphers and the Data Encryption Standard
Chapter 3: Block Ciphers and the Data Encryption Standard
 
block ciphers
block ciphersblock ciphers
block ciphers
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocol
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Kerberos
KerberosKerberos
Kerberos
 
Kerberos
KerberosKerberos
Kerberos
 

Similar to Kerberos and its application in cross realm operations

Gunaspresentation1
Gunaspresentation1Gunaspresentation1
Gunaspresentation1anchalaguna
 
Kerberos realms & multiple kerberi
Kerberos realms & multiple kerberiKerberos realms & multiple kerberi
Kerberos realms & multiple kerberiManas Nayak
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication rajakhurram
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideSharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideJ.D. Wade
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3limsh
 
Rakesh raj
Rakesh rajRakesh raj
Rakesh rajDBNCOET
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetJ.D. Wade
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
 
Kerberos Protocol
Kerberos ProtocolKerberos Protocol
Kerberos ProtocolNetwax Lab
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
Golden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain PersistenceGolden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain PersistenceMohammed Adam
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoastken_kitahara
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015J.D. Wade
 
Technet.microsoft.com
Technet.microsoft.comTechnet.microsoft.com
Technet.microsoft.comKurt Kort
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015J.D. Wade
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaJ.D. Wade
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015J.D. Wade
 

Similar to Kerberos and its application in cross realm operations (20)

Gunaspresentation1
Gunaspresentation1Gunaspresentation1
Gunaspresentation1
 
Kerberos realms & multiple kerberi
Kerberos realms & multiple kerberiKerberos realms & multiple kerberi
Kerberos realms & multiple kerberi
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideSharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival Guide
 
BAIT1103 Chapter 3
BAIT1103 Chapter 3BAIT1103 Chapter 3
BAIT1103 Chapter 3
 
Rakesh raj
Rakesh rajRakesh raj
Rakesh raj
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Kerberos Protocol
Kerberos ProtocolKerberos Protocol
Kerberos Protocol
 
Null talk
Null talkNull talk
Null talk
 
Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptography
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Golden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain PersistenceGolden Ticket Attack - AD - Domain Persistence
Golden Ticket Attack - AD - Domain Persistence
 
In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015
 
Technet.microsoft.com
Technet.microsoft.comTechnet.microsoft.com
Technet.microsoft.com
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
 

Recently uploaded

80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxPooja Bhuva
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxPooja Bhuva
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxannathomasp01
 

Recently uploaded (20)

80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 

Kerberos and its application in cross realm operations

  • 1. Kerberos and its Application in Cross-Realm Operations SECURITY PROTOCOLS GROUP-1
  • 2. Contents • Basic Kerberos • Components • Protocol • Strengths • Weaknesses • Cross Realm Operations • Cross Realm Operations with Kerberos Based Authentication • Authentication Simplified • Scalability Issues • Improved Cross Realm Kerberos Authentication Protocols (XKDCP) • XTGSP • XASP • Shortcomings of XTGSP & XASP and their mitigation
  • 4. Introduction to Kerberos • Kerberos provides a way to authenticate clients to services to each other through a trusted third party. • Kerberos makes the assumption that the connection between a client and service is insecure. • Passwords are encrypted to prevent others from reading them. • Clients only have to authenticate once during a pre- defined lifetime.
  • 5. Goals of Kerberos Protocol • Principals must not be able to impersonate other principals (i.e. principals must be authenticated) • The authentication secret (i.e. password) used by the principals must not be transmitted in clear text • It must not be necessary for all principals to be able to authenticate all other principals by themselves. • Principals should only need to authenticate themselves once (in the case of a user, this is typically when they logon to a workstation).
  • 6. Kerberos Components • Principals • Realms • Key Distribution Centers (KDC’s) • Authentication Service • Ticket Granting Server • Credentials • Ticket • Ticket Granting Ticket • Service Ticket • Authenticator
  • 7. Kerberos Principals Client Service Server KDC (Local/Foreign)
  • 8. Kerberos Protocol Step5 Step6 Service Client Server
  • 13. Kerberos Protocol Step 5: Service Server Client
  • 14. Kerberos Protocol Step 6: Service Server Client
  • 15. Strengths • Passwords are never sent across the network unencrypted. This prevents those unscrupulous people from being able to read the most important data sent over the network. • Clients and applications services mutually authenticate. Mutual authentication allows for both ends to know that they truly know whom they are communicating with. • Tickets have a limited lifetime, so if they are stolen, unauthorized use is limited to the time frame that the ticket is valid.
  • 16. Strengths • Authentication through the AS only has to happen once. This makes the security of Kerberos more convenient. • Shared secret keys between clients and services are more efficient than public-keys. • Many implementations of Keberos have a large support base and have been put through serious testing. • Authenticators, created by clients, can only be used once. This feature prevents the use of stolen authenticators.
  • 17. Weaknesses • Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms. • Kerberos has strict time requirements, which means the clocks of the involved hosts must be synchronized within configured limits. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. • Since all authentication is controlled by a centralized KDC, compromise of this authentication infrastructure will allow an attacker to impersonate any user.
  • 19. Multiple Realm Scenario • User in one realm (say DAIICT) may intend to use the services in another realm (say NIFT) • In such a case, how will the user (DAIICT student) authenticate himself to the foreign KDC (NIFT KDC) while sitting in DAIICT? • How will the user (DAIICT student) authenticate himself to the foreign KDC (NIFT KDC) while visiting NIFT? • But, user’s (DAIICT student) trustworthiness is known only to the local KDC (DAIICT KDC). Thus, only respective local KDC can authenticate the user. • Hence, there’s a need for Cross-Realm Authentication !!
  • 20. • Main issues in existing cross-realm authentication frameworks: • User needs to authenticate itself every time he tries to access a different service • User has to manage a large number of accounts • Low Scalability These issues have been addressed by using Kerberos Based Authentication in Cross-Realm Interactions !!
  • 21. Kerberos based Authentication for Cross Realm Interaction
  • 22. Kerberos based Authentication for Cross Realm Interaction • Allow users of one realm to authenticate with services in other realms • One time authentication required • Implemented by sharing a “secret” that realizes the trust relationship between realms • Using the shared secret key, KDC’s can check the authenticity of cross-realm request coming from users of trusted realm and then can securely issue service tickets for them
  • 23. Trust-Chain KDC-H KDC-I KDC-T 1) TGT-T? 2) TGT-I 5) ST-SRV? 6) ST-SRV Home Realm
  • 24. Issues in Cross Realm Kerberos • Inter-realm trust management • KDCs can have a direct or indirect relationship with other KDCs. • In direct relationships, KDC of each realm must maintain keys with all foreign realms. • Difficult to maintain large number of keys. • Indirect trust relationship means that there is a 'chain of trust’ linking the two realms. • A chain of trust can be determined by DNS hierarchy or else manually (can become cumbersome).
  • 25. Issues in Cross Realm Kerberos • Reliability- • If any of the realms in the authentication is not available, then the principals of the end-realms cannot perform cross-realm operations. • Client Centralised Exchanges- • Clients have to perform TGS exchanges with all the KDCs in the trust path. • When clients have limited computational capabilities, overhead of these cross-realm exchanges may grow into unacceptable delays.
  • 26. Improved Cross-Realm Kerberos Protocol (XKDCP) INTER KEY DISTRIBUTION CENTRE PROTOCOL
  • 27. XKDCP (Inter Key Distribution Centre Protocol) • The XKDCP extension allows the client to obtain the service ticket from any KDC for which she already has a TGT. • XKDCP is based on public-key certificates. XKDCP XTGSP XASP XTGSP: Allows users to obtain service tickets from a KDC even if the service is not registered in that KDC. XASP: Allows two Kerberos KDCs to collaborate in order to authenticate a roaming user and to deliver a TGT that can be used in the visited realm.
  • 28. XTGSP INTER TICKET GRANTING SERVICE PROTOCOL
  • 29. XTGSP • When a TGS can not process a request for a service ticket because the service's realm is different from the TGS's realm, then the XTGSP protocol can be used between the TGS of both realms to build the desired service ticket. • Allows users to obtain service tickets from a KDC even if the user is not registered in that KDC. • Used in remote access scenarios • a user has a TGT for a local KDC and wishes to access a service deployed in a remote realm.
  • 30. 3 Home KDC Foreign KDC AS TGS-H TGS-F AS 4 1 2 5 Service 6 User Home Realm Foreign Realm • Client does not need to contact the remote KDC at all in which the service is registered. • Local KDC will deliver the service ticket that can be used directly to authenticate with the remote service.
  • 31. Home KDC Foreign KDC AS TGS-H TGS-F AS 1) AS exchange Service User Home Realm Foreign Realm 1) Normal AS Exchange • AS request: C->AS: Client Principal and Service Principal Name • AS response: AS->C :{TUser,TGS}KTGS, {KUser,TGS || …}KUser
  • 32. Home KDC Foreign KDC AS TGS-H TGS-F AS 2) TGS_REQ Service User Home Realm Foreign Realm 2) TGS_REQ: User requests a ticket from the ticket-granting service (TGS) User TGS: {AUser, TGS}KUser,TGS, {TUser,TGS}KTGS, ||… where AUser,TGS= {User, timestamp, realm} Note: Additionally “Realm” field should be set to the foreign realm name where service is present.
  • 33. 3) XTGSP_REQ Home KDC Foreign KDC AS TGS-H TGS-F AS Service User Home Realm Foreign Realm 3) XTGSP_REQ • It is built from users TGS_REQ message. • Also includes a signed payload to authenticate home KDC. TGS-H->TGS-F: {TGS_REQ}sigKDCH, cert(KDC-H)
  • 34. Home KDC Foreign KDC AS TGS-H TGS-F AS 4) XTGSP_REP Service User Home Realm Foreign Realm 4) XTGSP_REP • TGS-F authenticates the previous message by verifying the public key signature. • Issues a ticket and an associated session key. Ticket is encrypted by key shared between the server and the foreign KDC. TGS-F->TGS-H: {{Session Key}KKDC-H, {TUser,S}KS}sigKDC-F, cert(KDC-F)
  • 35. Home KDC Foreign KDC AS TGS-H TGS-F AS 5) TGS_REP Service User Home Realm Foreign Realm 5) TGS_REP • TGS-H authenticates the previous message by verifying the public key signature. • Decrypts the session key and encrypts it with the key shared between the Home-KDC and the user. TGS-H->User:{Session Key}KKDC-H, User, Ticket
  • 36. Home KDC Foreign KDC AS TGS-H TGS-F AS Service 6) AP exchange User Home Realm Foreign Realm 6) AP exchange • User sends the ticket to S along with an authenticator to authenticate and establish the shared secret User->S: {AUser,S}KUser,Service, {TUser,S}KS • S decrypts the first part and obtains TUser,S to know the session key KUser,S replies to user with proof of possession of the shared secret S->User: {timestamp+1}KUser,S
  • 37. Drawback 3) XTGSP_REQ Home KDC Foreign KDC AS TGS-H TGS-F AS Service User Home Realm Foreign Realm XTGSP_REQ • The message sent by TGS-H are verified by TGS-F using public key certificates. • TGS-F is not capable enough to decide if the Home KDC should be offered the services or not.
  • 38. Proposed Solution • TGS-F should maintain a table enlisting specifically that which service can be used by which KDC . • Whenever it receives a message from an entity not mentioned in the list, it should contact its AS for further verification. • It should reply back to the requesting KDC only if its reliability is approved by its AS.
  • 40. XASP • Allows two Kerberos KDCs to collaborate in order to authenticate a roaming user and to deliver a TGT that can be used in the visited realm to obtain service tickets . • Used in situations where the home KDC (or the KDC for which the client has a TGT) is not reachable.
  • 41. 2 Home KDC Foreign KDC TGS AS-H AS-H TGS 3 1 4 5 Service 6 User Home Realm Foreign Realm When an AS can not process a AS_REQ message sent by the client because the client does not belong to the local realm, the XASP extension can be used between the visited AS and the home AS to build the required credentials (a TGT) for the roaming client.
  • 42. Home KDC Foreign KDC TGS AS-H AS-F TGS 1) AS_REQ Service User Home Realm Foreign Realm 1) AS_REQ: • User  AS-F: Client Principal and Service Principal Name • The client must put her home realm name in the ‘realm’ field of the request. Note: Any user can probe a foreign realm and make the KDC of the foreign realm to authenticate itself as per the request.
  • 43. 2) XASP_REQ Home KDC Foreign KDC TGS AS-H AS-F TGS Service User Home Realm Foreign Realm 2) XASP_REQ: • If the realm name in the previous message doesn't match with its own realm name, AS-F locates the KDC that serves the client’s home realm (AS-H). • This request signed duly for authentication. AS-F->AS-H: {AS_REQ}sigKDCF, cert(KDC-F)
  • 44. Home KDC Foreign KDC TGS AS-H AS-F TGS 3) XASP_REP Service User Home Realm Foreign Realm 3) XASP_REP: • Home KDC authenticates the previous message by verifying the signature using public key cryptography. • Creates a TGS session key encrypted by user’s secret key. • A copy of same TGS session key is encrypted using foreign KDC’s public key. • A signature is also included that authenticates itself to the foreign KDC. AS-H->AS-F: {{TGS_SK}Kuser, {TGS_SK}KKDCF}sigKDCH, cert(KDC-H)
  • 45. Home KDC Foreign KDC TGS AS-H AS-F TGS 4) AS_REP Service User Home Realm Foreign Realm 4) AS_REP: • KDCF validates by verifying the signature. • Decrypts the TGS session key using its own private key, which is used to build a TGT for the roaming user. • TGS session key encrypted by user’s secret key and TGT are sent to user. AS-F->User: {TGS_SK}Kuser, {TUser,TGS}KTGS
  • 46. Home KDC Foreign KDC TGS AS-H AS-F TGS 5) TGS Exchange Service User Home Realm Foreign Realm 5) TGS Exchange: • User requests a ticket from the ticket-granting service (TGS) User TGS: {AUser, TGS}KUser,TGS, {TUser,TGS}KTGS, ||… where AUser,TGS= {User, timestamp, realm} • TGS returns a ticket for User to talk to S TGS User: {TUser,S}KS, {KUser,S}KUser,TGS where TUser,S= {User, User-addr, lifetime, KUser,S}
  • 47. Home KDC Foreign KDC TGS AS-H AS-F TGS 6) AP Service exchange User Home Realm Foreign Realm 6) AP exchange: • User sends the ticket to S along with an authenticator to authenticate and establish the shared secret User S: {AUser,S}KC,S, {TUser,S}KS where AUser,S= {User, timestamp} • S User: {timestamp+1}KUser,S
  • 48. DoS Attack on Foreign KDC Home KDC Foreign KDC TGS AS-H AS-F TGS 1) AS_REQ Service User Home Realm Foreign Realm • Any User can probe a foreign realm and keep the KDC of the foreign realm busy to authenticate itself. • The KDC will therefore remain busy in authenticating the user and will not do any productive work. • Foreign KDC cant authenticate the client.
  • 49. Proposed Solution • Public key certificates can also be used for clients. • Each time a client wants to contact the foreign KDC it will send the message along with its certificate. • The foreign KDC can keep a track of the messages sent by a particular user. • It can reject the messages if they exceed the threshold limit of a user.
  • 50. References 1. Saber Zrelli, Tunc Medeni and Yoichi Shinoda, “Improving Kerberos Security System for Cross-Realm Collaborative Interactions: An Innovative Example of Knowledge Technology for Evolving & Verifiable E-Society”, 2007 2. http://tools.ietf.org/id/draft-ietf-cat-kerberos-pk-cross-08.txt 3. http://tools.ietf.org/html/draft-zrelli-krb-xkdcp-00 4. http://web.mit.edu/rhel-doc/5/RHEL-5- manual/Deployment_Guide-en-US/ch-kerberos.html
  • 51. Group Members • Ravi Goyal (200901001) • Puneet Kala (200901008) • Arunangshu Bhakta (200901026) • Unique Jain (200901036) • Lalit Agarwal (200901159) • Taru Raaj Agarwal (200901167) • Drasti Shah (200901172)