SlideShare a Scribd company logo

MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo

Gilles Legoux
Gilles Legoux
Gilles LegouxSoftware Engineer at Criteo

MIT Kerberos is project written in C since 1980s. Open Source and Free: https://github.com/krb5/krb5 MIT License

MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo

1 of 21
Download to read offline
Kerberos - Protocol for Authentication & Authorization
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers
MIT Kerberos
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Implementation / OS Linux Windows MacOS
MIT Kerberos
Active Directory
Heimdal
MIT Kerberos where
MIT
MIT Kerberos is project written in C since 1980s.
Open Source and Free: https://github.com/krb5/krb5
Last release: 1.16.1 (2018-05-03)
MIT License
Official Website | Tutorial | Documentation | Guide
Distribution | Release Linux | Historic
RFC | CVE | FAQ
MIT Kerberos
Kerberos (V5) is network authentication and authorization protocol with several implementations.
"Kerberos allows to secure communications on untrusted networks but where each node is trusted"
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Kerberos Features
Features
● Kerberos is in place, mature, and stable and performant with symmetrical key
● Mutual authentication, integrity and confidentiality of communication
● Protected against eavesdropping and replay attacks
● No exposed Passwords, it should never be exposed during authentication (no password in code, call network or log ...)
● Not only HTTP but can secure other communication channels (SSH, login, ….)
● Largely implemented in each service (client and kerberized server) and libraries to kerberized services
Kerberos secret = Metadata + Kerberos key
Metadata = [ kvno, issue time, encryption, principal ]
Kerberos key = getKey(password, salt, encryption)
Keytabs = container(Kerberos key with Metadata)
in binary file with right permission (owner +0400)
and not encrypted.
Authenticator = { PrincipalClient
, Timestamp }KClient
Ticket-Granting Ticket (TGT) = authentication credential
Service Ticket-Granting (SGT) = authorization credential
Principal = Kerberos entity (User or Service Principal Name)
"Kerberos is primarily used over internal LANs to authenticate users."
SSO
client
service
service
service
Single Sign-On (SSO)
● One authentication to access to group of services.
● Ticket system where long term secrets generate
short term secrets.
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Client (C)
Service (S)
Authentication Server
(AS)
Ticket Granting Server
(TGS)
Key Distribution Center (KDC)
database
AS
AS
Install your KDC:
● create master key
● create your kerberos realm
● configuration
Install Kerberos clients:
● configuration
krb5.conf
krb5.conf
kdc.conf
Kerberos Environment
Kerberos
authentication
Kerberos
Server
Kerberos
client
Kerberos
client
1
Setup
C
S
Creation principals in Kerberos database
2
Provisioning
kerberos configuration
kerberos key
C
S
Deployment on each kerberos client:
● keytabs 3
Secret
deployment
keytab
keytab
Kerberos secrets
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
keytab
Client (C)
Service (S)
Authentication Server
(AS)
Ticket Granting Server
(TGS)
Key Distribution Center (KDC)
database
C
AS
S
replay
cache
credentials
cache
C S
replay
cache
AS
Kerberos Workflow for Authentication
(3) bis
(3)bis Try to connect to the service but it reclaims Kerberos authentication
and TGS Ticket.
TGS
session
Client and Authentication Server
(1). clear plaintext request for a Ticket Granting Ticket (TGT) with
pre-authentication (should be configured) and authenticator request
(2). user ID lookup in KDC
(3). 2 messages:
- A: TGT (encrypted by AS secret key principal krbtgt/*)
- B: TGS session key (encrypted by client secret key)(1)
(3)
(2)
TGS
session
1
AS_REQUEST,
AS_REPLY
1
Service
session
(6)
(5)
(4)
Client and Ticket Granting Server
(4). 3 messages:
- C: authenticator request (encrypted by TGS Session Key)
- D: clear plaintext request for access Service
- E: TGT
(5). Service lookup in KDC
(6). 2 messages :
F: Service Session Key (encrypted by TGS Session Key)
G: Ticket for Service (encrypted by Service Secret Key)
2
TGS_REQUEST,
TGS_REPLY
2
(9)
(8)
(7)
Service
session
Client and Service
(7). 2 messages:
H: authenticator request (encrypted by Service Session Key)
I: Ticket for Service (encrypted by Service Secret Key)
(8). 1 message:
J: Confirmation of Service identity (encrypted by Service Session Key)
(9). Exchange messages with Service Ticket
3
AP_REQUEST,
AP_REPLY
3
Service
session
TGT
SGT
keytab
Kerberos secrets
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
REALM A
UPN: An entity performing client requests to some
service. Human or machine.
SPN: An entity processing requests for a specific
service (HTTP, LDAP, SSH …). Machine only.
Trust unilateral: REALM A → REALM B
Trust bilateral: REALM B ← → REALM C
User Principal Name (UPN):
user@REALM
Service Principal Name (SPN):
service/fqdn@REALM
trust unilateral trust bilateral
REALM C
REALM B
Kerberos Realm and Trust for Authorization

Recommended

Modern Algorithms and Data Structures - 1. Bloom Filters, Merkle Trees
Modern Algorithms and Data Structures - 1. Bloom Filters, Merkle TreesModern Algorithms and Data Structures - 1. Bloom Filters, Merkle Trees
Modern Algorithms and Data Structures - 1. Bloom Filters, Merkle TreesLorenzo Alberton
 
An Introduction to Apache Cassandra
An Introduction to Apache CassandraAn Introduction to Apache Cassandra
An Introduction to Apache CassandraSaeid Zebardast
 
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...Daniel Hochman
 
Spotify: Automating Cassandra repairs
Spotify: Automating Cassandra repairsSpotify: Automating Cassandra repairs
Spotify: Automating Cassandra repairsDataStax Academy
 
Message Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 AlgorithmMessage Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 AlgorithmAjay Karri
 

More Related Content

What's hot

Merkle Trees and Fusion Trees
Merkle Trees and Fusion TreesMerkle Trees and Fusion Trees
Merkle Trees and Fusion TreesRohithND
 
State transfer With Galera
State transfer With GaleraState transfer With Galera
State transfer With GaleraMydbops
 
How Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichHow Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
 
nGrinder 3.0 : Load Test even kids can do
nGrinder 3.0 : Load Test even kids can donGrinder 3.0 : Load Test even kids can do
nGrinder 3.0 : Load Test even kids can doJunHo Yoon
 
Introduction to CUDA
Introduction to CUDAIntroduction to CUDA
Introduction to CUDARaymond Tay
 
Cs8792 cns - unit iv
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit ivArthyR3
 
MonetDB :column-store approach in database
MonetDB :column-store approach in databaseMonetDB :column-store approach in database
MonetDB :column-store approach in databaseNikhil Patteri
 
Topic5 advanced encryption standard (aes)
Topic5 advanced encryption standard (aes)Topic5 advanced encryption standard (aes)
Topic5 advanced encryption standard (aes)MdFazleRabbi18
 
From Postgres to ScyllaDB: Migration Strategies and Performance Gains
From Postgres to ScyllaDB: Migration Strategies and Performance GainsFrom Postgres to ScyllaDB: Migration Strategies and Performance Gains
From Postgres to ScyllaDB: Migration Strategies and Performance GainsScyllaDB
 
Cassandra and Riak at BestBuy.com
Cassandra and Riak at BestBuy.comCassandra and Riak at BestBuy.com
Cassandra and Riak at BestBuy.comjoelcrabb
 
Golden ticket, pass the ticket mi tm kerberos attacks explained
Golden ticket, pass the ticket mi tm   kerberos attacks explainedGolden ticket, pass the ticket mi tm   kerberos attacks explained
Golden ticket, pass the ticket mi tm kerberos attacks explainedPeter Swedin
 
MySQL Database Monitoring: Must, Good and Nice to Have
MySQL Database Monitoring: Must, Good and Nice to HaveMySQL Database Monitoring: Must, Good and Nice to Have
MySQL Database Monitoring: Must, Good and Nice to HaveSveta Smirnova
 
substitution and transposition techniques_ppt.pptx
substitution and transposition techniques_ppt.pptxsubstitution and transposition techniques_ppt.pptx
substitution and transposition techniques_ppt.pptxGauriBornare1
 
Software AI Accelerators: The Next Frontier | Software for AI Optimization Su...
Software AI Accelerators: The Next Frontier | Software for AI Optimization Su...Software AI Accelerators: The Next Frontier | Software for AI Optimization Su...
Software AI Accelerators: The Next Frontier | Software for AI Optimization Su...Intel® Software
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 

What's hot (20)

Merkle Trees and Fusion Trees
Merkle Trees and Fusion TreesMerkle Trees and Fusion Trees
Merkle Trees and Fusion Trees
 
State transfer With Galera
State transfer With GaleraState transfer With Galera
State transfer With Galera
 
How Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichHow Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar Leibovich
 
nGrinder 3.0 : Load Test even kids can do
nGrinder 3.0 : Load Test even kids can donGrinder 3.0 : Load Test even kids can do
nGrinder 3.0 : Load Test even kids can do
 
Introduction to CUDA
Introduction to CUDAIntroduction to CUDA
Introduction to CUDA
 
Cs8792 cns - unit iv
Cs8792   cns - unit ivCs8792   cns - unit iv
Cs8792 cns - unit iv
 
MonetDB :column-store approach in database
MonetDB :column-store approach in databaseMonetDB :column-store approach in database
MonetDB :column-store approach in database
 
Data race
Data raceData race
Data race
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
Topic5 advanced encryption standard (aes)
Topic5 advanced encryption standard (aes)Topic5 advanced encryption standard (aes)
Topic5 advanced encryption standard (aes)
 
From Postgres to ScyllaDB: Migration Strategies and Performance Gains
From Postgres to ScyllaDB: Migration Strategies and Performance GainsFrom Postgres to ScyllaDB: Migration Strategies and Performance Gains
From Postgres to ScyllaDB: Migration Strategies and Performance Gains
 
DES
DESDES
DES
 
Cassandra and Riak at BestBuy.com
Cassandra and Riak at BestBuy.comCassandra and Riak at BestBuy.com
Cassandra and Riak at BestBuy.com
 
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemo
 
How to Share a Secret
How to Share a SecretHow to Share a Secret
How to Share a Secret
 
Golden ticket, pass the ticket mi tm kerberos attacks explained
Golden ticket, pass the ticket mi tm   kerberos attacks explainedGolden ticket, pass the ticket mi tm   kerberos attacks explained
Golden ticket, pass the ticket mi tm kerberos attacks explained
 
MySQL Database Monitoring: Must, Good and Nice to Have
MySQL Database Monitoring: Must, Good and Nice to HaveMySQL Database Monitoring: Must, Good and Nice to Have
MySQL Database Monitoring: Must, Good and Nice to Have
 
substitution and transposition techniques_ppt.pptx
substitution and transposition techniques_ppt.pptxsubstitution and transposition techniques_ppt.pptx
substitution and transposition techniques_ppt.pptx
 
Software AI Accelerators: The Next Frontier | Software for AI Optimization Su...
Software AI Accelerators: The Next Frontier | Software for AI Optimization Su...Software AI Accelerators: The Next Frontier | Software for AI Optimization Su...
Software AI Accelerators: The Next Frontier | Software for AI Optimization Su...
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithms
 

Similar to MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo

GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull RequestKasper Nissen
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Securityguest2a5a03
 
Is It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes OperatorsIs It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes OperatorsDoKC
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
Cloud Native 下的應用網路設計
Cloud Native 下的應用網路設計Cloud Native 下的應用網路設計
Cloud Native 下的應用網路設計inwin stack
 
Active Directory Recon 101
Active Directory Recon 101Active Directory Recon 101
Active Directory Recon 101prashant3535
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCynthia Thomas
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試Secview
 
Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxmacchiang
 
使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster 使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster inwin stack
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesAjeet Singh Raina
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQueryCodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQueryMárton Kodok
 
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech TalksRunning Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech TalksAmazon Web Services
 
Securing Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfSecuring Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfJesús Ángel Samitier
 

Similar to MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo (20)

GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 
Is It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes OperatorsIs It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes Operators
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
Cloud Native 下的應用網路設計
Cloud Native 下的應用網路設計Cloud Native 下的應用網路設計
Cloud Native 下的應用網路設計
 
Active Directory Recon 101
Active Directory Recon 101Active Directory Recon 101
Active Directory Recon 101
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
 
Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linux
 
使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster 使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster
 
chaitraresume
chaitraresumechaitraresume
chaitraresume
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best Practices
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQueryCodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
 
Road to Cloud Native Orchestration
Road to Cloud Native Orchestration Road to Cloud Native Orchestration
Road to Cloud Native Orchestration
 
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech TalksRunning Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
 
Securing Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfSecuring Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdf
 

Recently uploaded

Critical Literature Review Final -MW.pdf
Critical Literature Review Final -MW.pdfCritical Literature Review Final -MW.pdf
Critical Literature Review Final -MW.pdfMollyWinterbottom
 
Architectural Preservation - Heritage, focused on Saudi Arabia
Architectural Preservation - Heritage, focused on Saudi ArabiaArchitectural Preservation - Heritage, focused on Saudi Arabia
Architectural Preservation - Heritage, focused on Saudi ArabiaIgnacio J. Palma, Arch PhD.
 
biofilm fouling of the membrane present in aquaculture
biofilm fouling of the membrane present in aquaculturebiofilm fouling of the membrane present in aquaculture
biofilm fouling of the membrane present in aquacultureVINETUBE2
 
chap. 3. lipid deterioration oil and fat processign
chap. 3. lipid deterioration oil and fat processignchap. 3. lipid deterioration oil and fat processign
chap. 3. lipid deterioration oil and fat processignteddymebratie
 
Sample Case Study of industry 4.0 and its Outcome
Sample Case Study of industry 4.0 and its OutcomeSample Case Study of industry 4.0 and its Outcome
Sample Case Study of industry 4.0 and its OutcomeHarshith A S
 
Module 2_ Divide and Conquer Approach.pptx
Module 2_ Divide and Conquer Approach.pptxModule 2_ Divide and Conquer Approach.pptx
Module 2_ Divide and Conquer Approach.pptxnikshaikh786
 
CDE_Sustainability Performance_20240214.pdf
CDE_Sustainability Performance_20240214.pdfCDE_Sustainability Performance_20240214.pdf
CDE_Sustainability Performance_20240214.pdf8-koi
 
PM24_Oral_Presentation_Template_Guidelines.pptx
PM24_Oral_Presentation_Template_Guidelines.pptxPM24_Oral_Presentation_Template_Guidelines.pptx
PM24_Oral_Presentation_Template_Guidelines.pptxnissamant
 
my goal is place in mnc's companies and got good salary
my goal is place in mnc's companies and got good salarymy goal is place in mnc's companies and got good salary
my goal is place in mnc's companies and got good salarymonoarul2004
 
Deluck Technical Works Company Profile.pdf
Deluck Technical Works Company Profile.pdfDeluck Technical Works Company Profile.pdf
Deluck Technical Works Company Profile.pdfartpoa9
 
Introduction about Technology roadmap for Industry 4.0
Introduction about Technology roadmap for Industry 4.0Introduction about Technology roadmap for Industry 4.0
Introduction about Technology roadmap for Industry 4.0RaishKhanji
 
SR Globals Profile - Building Vision, Exceeding Expectations.
SR Globals Profile -  Building Vision, Exceeding Expectations.SR Globals Profile -  Building Vision, Exceeding Expectations.
SR Globals Profile - Building Vision, Exceeding Expectations.srglobalsenterprises
 
ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdf
ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdfROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdf
ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdfRudraPratapSingh871925
 
Documento 50 - 1-120 - 51+52 borrador.pdf
Documento 50 - 1-120 - 51+52 borrador.pdfDocumento 50 - 1-120 - 51+52 borrador.pdf
Documento 50 - 1-120 - 51+52 borrador.pdfFRANCISCOJUSTOSIERRA
 
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...GauravBhartie
 
Pre-assessment & Data Sheet presentation template - 2023.pptx
Pre-assessment & Data Sheet presentation template - 2023.pptxPre-assessment & Data Sheet presentation template - 2023.pptx
Pre-assessment & Data Sheet presentation template - 2023.pptxssuserc79a6f
 
Plant Design for bioplastic production from Microalgae in Pakistan.pdf
Plant Design for bioplastic production from Microalgae in Pakistan.pdfPlant Design for bioplastic production from Microalgae in Pakistan.pdf
Plant Design for bioplastic production from Microalgae in Pakistan.pdfMianHusnainIqbal2
 
Gate-Level Simulation Methodology Improving Gate-Level Simulation Performance
Gate-Level Simulation Methodology Improving Gate-Level Simulation PerformanceGate-Level Simulation Methodology Improving Gate-Level Simulation Performance
Gate-Level Simulation Methodology Improving Gate-Level Simulation Performancesuddentrike2
 
Presentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptxPresentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptxasmitaTele2
 

Recently uploaded (20)

Critical Literature Review Final -MW.pdf
Critical Literature Review Final -MW.pdfCritical Literature Review Final -MW.pdf
Critical Literature Review Final -MW.pdf
 
Architectural Preservation - Heritage, focused on Saudi Arabia
Architectural Preservation - Heritage, focused on Saudi ArabiaArchitectural Preservation - Heritage, focused on Saudi Arabia
Architectural Preservation - Heritage, focused on Saudi Arabia
 
Going Staff
Going StaffGoing Staff
Going Staff
 
biofilm fouling of the membrane present in aquaculture
biofilm fouling of the membrane present in aquaculturebiofilm fouling of the membrane present in aquaculture
biofilm fouling of the membrane present in aquaculture
 
chap. 3. lipid deterioration oil and fat processign
chap. 3. lipid deterioration oil and fat processignchap. 3. lipid deterioration oil and fat processign
chap. 3. lipid deterioration oil and fat processign
 
Sample Case Study of industry 4.0 and its Outcome
Sample Case Study of industry 4.0 and its OutcomeSample Case Study of industry 4.0 and its Outcome
Sample Case Study of industry 4.0 and its Outcome
 
Module 2_ Divide and Conquer Approach.pptx
Module 2_ Divide and Conquer Approach.pptxModule 2_ Divide and Conquer Approach.pptx
Module 2_ Divide and Conquer Approach.pptx
 
CDE_Sustainability Performance_20240214.pdf
CDE_Sustainability Performance_20240214.pdfCDE_Sustainability Performance_20240214.pdf
CDE_Sustainability Performance_20240214.pdf
 
PM24_Oral_Presentation_Template_Guidelines.pptx
PM24_Oral_Presentation_Template_Guidelines.pptxPM24_Oral_Presentation_Template_Guidelines.pptx
PM24_Oral_Presentation_Template_Guidelines.pptx
 
my goal is place in mnc's companies and got good salary
my goal is place in mnc's companies and got good salarymy goal is place in mnc's companies and got good salary
my goal is place in mnc's companies and got good salary
 
Deluck Technical Works Company Profile.pdf
Deluck Technical Works Company Profile.pdfDeluck Technical Works Company Profile.pdf
Deluck Technical Works Company Profile.pdf
 
Introduction about Technology roadmap for Industry 4.0
Introduction about Technology roadmap for Industry 4.0Introduction about Technology roadmap for Industry 4.0
Introduction about Technology roadmap for Industry 4.0
 
SR Globals Profile - Building Vision, Exceeding Expectations.
SR Globals Profile -  Building Vision, Exceeding Expectations.SR Globals Profile -  Building Vision, Exceeding Expectations.
SR Globals Profile - Building Vision, Exceeding Expectations.
 
ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdf
ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdfROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdf
ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdf
 
Documento 50 - 1-120 - 51+52 borrador.pdf
Documento 50 - 1-120 - 51+52 borrador.pdfDocumento 50 - 1-120 - 51+52 borrador.pdf
Documento 50 - 1-120 - 51+52 borrador.pdf
 
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...
 
Pre-assessment & Data Sheet presentation template - 2023.pptx
Pre-assessment & Data Sheet presentation template - 2023.pptxPre-assessment & Data Sheet presentation template - 2023.pptx
Pre-assessment & Data Sheet presentation template - 2023.pptx
 
Plant Design for bioplastic production from Microalgae in Pakistan.pdf
Plant Design for bioplastic production from Microalgae in Pakistan.pdfPlant Design for bioplastic production from Microalgae in Pakistan.pdf
Plant Design for bioplastic production from Microalgae in Pakistan.pdf
 
Gate-Level Simulation Methodology Improving Gate-Level Simulation Performance
Gate-Level Simulation Methodology Improving Gate-Level Simulation PerformanceGate-Level Simulation Methodology Improving Gate-Level Simulation Performance
Gate-Level Simulation Methodology Improving Gate-Level Simulation Performance
 
Presentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptxPresentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptx
 

MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo

  • 1. Kerberos - Protocol for Authentication & Authorization Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers MIT Kerberos
  • 2. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Implementation / OS Linux Windows MacOS MIT Kerberos Active Directory Heimdal MIT Kerberos where MIT MIT Kerberos is project written in C since 1980s. Open Source and Free: https://github.com/krb5/krb5 Last release: 1.16.1 (2018-05-03) MIT License Official Website | Tutorial | Documentation | Guide Distribution | Release Linux | Historic RFC | CVE | FAQ MIT Kerberos Kerberos (V5) is network authentication and authorization protocol with several implementations. "Kerberos allows to secure communications on untrusted networks but where each node is trusted"
  • 3. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos Features Features ● Kerberos is in place, mature, and stable and performant with symmetrical key ● Mutual authentication, integrity and confidentiality of communication ● Protected against eavesdropping and replay attacks ● No exposed Passwords, it should never be exposed during authentication (no password in code, call network or log ...) ● Not only HTTP but can secure other communication channels (SSH, login, ….) ● Largely implemented in each service (client and kerberized server) and libraries to kerberized services Kerberos secret = Metadata + Kerberos key Metadata = [ kvno, issue time, encryption, principal ] Kerberos key = getKey(password, salt, encryption) Keytabs = container(Kerberos key with Metadata) in binary file with right permission (owner +0400) and not encrypted. Authenticator = { PrincipalClient , Timestamp }KClient Ticket-Granting Ticket (TGT) = authentication credential Service Ticket-Granting (SGT) = authorization credential Principal = Kerberos entity (User or Service Principal Name) "Kerberos is primarily used over internal LANs to authenticate users." SSO client service service service Single Sign-On (SSO) ● One authentication to access to group of services. ● Ticket system where long term secrets generate short term secrets.
  • 4. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Client (C) Service (S) Authentication Server (AS) Ticket Granting Server (TGS) Key Distribution Center (KDC) database AS AS Install your KDC: ● create master key ● create your kerberos realm ● configuration Install Kerberos clients: ● configuration krb5.conf krb5.conf kdc.conf Kerberos Environment Kerberos authentication Kerberos Server Kerberos client Kerberos client 1 Setup C S Creation principals in Kerberos database 2 Provisioning kerberos configuration kerberos key C S Deployment on each kerberos client: ● keytabs 3 Secret deployment keytab keytab Kerberos secrets
  • 5. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management keytab Client (C) Service (S) Authentication Server (AS) Ticket Granting Server (TGS) Key Distribution Center (KDC) database C AS S replay cache credentials cache C S replay cache AS Kerberos Workflow for Authentication (3) bis (3)bis Try to connect to the service but it reclaims Kerberos authentication and TGS Ticket. TGS session Client and Authentication Server (1). clear plaintext request for a Ticket Granting Ticket (TGT) with pre-authentication (should be configured) and authenticator request (2). user ID lookup in KDC (3). 2 messages: - A: TGT (encrypted by AS secret key principal krbtgt/*) - B: TGS session key (encrypted by client secret key)(1) (3) (2) TGS session 1 AS_REQUEST, AS_REPLY 1 Service session (6) (5) (4) Client and Ticket Granting Server (4). 3 messages: - C: authenticator request (encrypted by TGS Session Key) - D: clear plaintext request for access Service - E: TGT (5). Service lookup in KDC (6). 2 messages : F: Service Session Key (encrypted by TGS Session Key) G: Ticket for Service (encrypted by Service Secret Key) 2 TGS_REQUEST, TGS_REPLY 2 (9) (8) (7) Service session Client and Service (7). 2 messages: H: authenticator request (encrypted by Service Session Key) I: Ticket for Service (encrypted by Service Secret Key) (8). 1 message: J: Confirmation of Service identity (encrypted by Service Session Key) (9). Exchange messages with Service Ticket 3 AP_REQUEST, AP_REPLY 3 Service session TGT SGT keytab Kerberos secrets
  • 6. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management REALM A UPN: An entity performing client requests to some service. Human or machine. SPN: An entity processing requests for a specific service (HTTP, LDAP, SSH …). Machine only. Trust unilateral: REALM A → REALM B Trust bilateral: REALM B ← → REALM C User Principal Name (UPN): user@REALM Service Principal Name (SPN): service/fqdn@REALM trust unilateral trust bilateral REALM C REALM B Kerberos Realm and Trust for Authorization
  • 7. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Blackbox exporter Grafana collectd/kerberos exporter Kerberos Probe Health checks Basis metricsTGT & TGS prometheus consul dashboard for visualisation elastic search Logs Rsyslog kibana wireshark Network Traces Alertmanager email page duty slack Kerberos Monitoring @Criteo kadmind:749 kpasswd:464 kpropd:754 krb5kdc:88
  • 8. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Discovery DNS + Consul Clock synchronisation NTP Backup Storage Log Analysis Rsyslog + ES + Kibana Monitoring & Alerting Prometheus + Grafana + Graphite Secret Management chef-vault + vault Infrastructure Automation Chef server Kerberos client side Kerberos server side Technical Stack service user physical user chef server native or LDAP Kerberos databases UPN SPN (kerberized service) Kerberos servers Technical Stack around Kerberos @Criteo consul chef client chef client chef client chef client Secret deployment UPN
  • 9. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management UPN Discovery DNS + Consul Clock synchronisation NTP Backup Storage Log Analysis Rsyslog + ES + Kibana Monitoring & Alerting Prometheus + Grafana + Graphite Secret Management chef-vault + vault Infrastructure Automation Chef server Kerberos client side Kerberos server side Technical Stack service user physical user chef server native or LDAP Kerberos databases UPN SPN (kerberized service) Kerberos servers Technical Stack around Kerberos @Criteo consul Clock synchronisation ntp client ntp clientntp clientntp client ntp client
  • 10. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Discovery DNS + Consul Clock synchronisation NTP Backup Storage Log Analysis Rsyslog + ES + Kibana Monitoring & Alerting Prometheus + Grafana + Graphite Secret Management chef-vault + vault Infrastructure Automation Chef server Kerberos client side Kerberos server side Technical Stack service user physical user chef server native or LDAP Kerberos databases UPN SPN (kerberized service) Kerberos servers UPN Technical Stack around Kerberos @Criteo consul Domain Name Resolution TGS_REQUEST Discovery and DNS Kerberos client Kerberos client Kerberos client Reverse Resolution with PTR records TGT Establish Kerberos communication Round Robin with SRV records connection attempt SGT TGS_REPLY
  • 11. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management proxy proxy SSO client Implemented HTTP SSO with Kerberos IIS Windows controller filter controller filter human to machine machine to machine Linux
  • 12. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Client application Server application Kerberos SPNEGO user.keytab krb5.conf .java.login.config service.keytab krb5.conf .java.login.config SASL: Simple Authentication and Security Layer SPNEGO: Simple and Protected GSS-API Negotiation Mechanism JAAS: Java Authentication and Authorization Service GSS-API: Generic Security Service Application Program Interface Kerberos for your application in Java client side server side Establish Kerberos communication Krb5LoginModule JAAS GSS-API/SASL Krb5LoginModule JAAS GSS-API/SASL Kerberos SPNEGO
  • 13. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Demo Time wireshark Kerberos Servers kerberos-docker Apache2 http Mongo mongodb keytab kinit -R kinit -k keybab ssh + delegation OpenSSH klist login/password credentials cache in file system Server javaClient Java socket credentials cache in JVM memory
  • 14. Wouff… It is the end! Kerberos - Protocol for Authentication & Authorization Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers MIT Kerberos
  • 15. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Learn Kerberos authentication ● Tutorial Kerberos ○ https://www.kerberos.org/software/tutorial.html ● The MIT Kerberos Administrator’s How-to Guide ○ https://www.kerberos.org/software/adminkerberos.pdf ● Best Practices for Integrating Kerberos into Your Application ○ https://www.kerberos.org/software/appskerberos.pdf ● Why is Kerberos a credible security solution? ○ https://www.kerberos.org/software/whykerberos.pdf ● Kerberos database can be OpenLDAP ○ https://www.openldap.org ● Kerberos: The Definitive Guide O’Reilly ○ http://shop.oreilly.com/product/9780596004033.do Kerberos for GAFA ● Google ○ Google Search Appliance uses Kerberos ■ https://support.google.com/gsa/answer/6055202?hl=en ● Apple ○ Authentication and Identification In Depth ■ https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Authentica tion/Authentication.html ● Facebook ○ https://developers.facebook.com/docs/workplace/authentication/sso (No public found references) ● Amazon ○ Use Kerberos Authentication ■ https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-kerberos.html References
  • 16. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos implementation ● MIT: MIT Kerberos ○ http://web.mit.edu/kerberos ○ What is Kerberos? ■ http://web.mit.edu/kerberos/www/#what_is ○ MIT Kerberos Consortium ■ http://kerberos.org/software/ ○ Source code: ■ GitHub: ● Microsoft: Active Directory ○ https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overvi ew ○ What is Kerberos Authentication? ■ https://technet.microsoft.com/pt-pt/library/cc780469(v=ws.10).aspx ○ Microsoft Kerberos ■ https://msdn.microsoft.com/en-us/library/windows/desktop/aa378747(v=vs.85).aspx ● Heimdal: Heimdal Kerberos ○ https://www.h5l.org ○ What is Heimdal/Kerberos? ■ https://github.com/heimdal/heimdal/wiki ○ Source code: ■ Github: https://github.com/heimdal/heimdal/releases There are other KDC client/server implementations as apache kerby to run KDC "in memory" in Java: ● https://github.com/apache/directory-kerby References
  • 17. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Single Sign On with Kerberos and SPNEGO ● Microsoft: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol ○ https://msdn.microsoft.com/en-us/library/ms995329.aspx ● IBM: Single sign-on for HTTP requests using SPNEGO web authentication in Websphere application ○ https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.wlp.core.doc/ae/cwlp_spnego.html ○ https://www.ibm.com/support/knowledgecenter/SS7JFU_8.5.5/com.ibm.websphere.express.doc/ae/csec_SPNEGO_explain.htm l#csec_SPNEGO_explain__SPNEGOkerb ● SAP: Single Sign-On: Authenticate with Kerberos/SPNEGO ○ https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/ Operating system Linux and Kerberos ● RedHat (and CentOS): Using Kerberos ○ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/using_kerberos ● Ubuntu: Kerberos ○ https://help.ubuntu.com/lts/serverguide/kerberos.html.en ● Arch Linux: Kerberos ○ https://wiki.archlinux.org/index.php/Kerberos ● Fedora ○ https://fedoraproject.org/wiki/Infrastructure/Kerberos (Missing for MACOS and Windows, this presentation is only Linux) References
  • 18. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos in Java ● Oracle (and Sun): Single Sign-on Using Kerberos in Java ○ https://docs.oracle.com/javase/10/security/single-sign-using-kerberos-java1.htm ● OpenJDK: ○ ● Apache: ○ Apache Kerby: ■ http://directory.apache.org/kerby/ ■ source code: ● Github: https://github.com/apache/directory-kerby ○ Hadoop: ■ Hadoop in Secure Mode ● https://hadoop.apache.org/docs/r3.0.0/hadoop-project-dist/hadoop-common/SecureMode.html ■ source code: ● GitHub: https://github.com/apache/hadoop-common/tree/trunk/hadoop-common-project/hadoop-auth/src/main/java/o rg/apache/hadoop/security ● Java Server ○ Tomcat ■ https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html ○ Jetty ■ http://www.eclipse.org/jetty/documentation/current/spnego-support.html ○ Jboss ■ https://developer.jboss.org/wiki/HowToImplementKerberosAuthenticationWithASimpleRESTWebApp ○ Spring ■ https://spring.io/projects/spring-security-kerberos#overview References
  • 19. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos in Python ● Apple: ○ https://github.com/apple/ccs-pykerberos ● Requests: ○ https://github.com/requests/requests-kerberos ● Python GSSAPI ○ https://github.com/pythongssapi Kerberos with Proxy/Reverse Proxy ● Apache2 ○ mod_auth_gssapi ■ https://github.com/modauthgssapi/mod_auth_gssapi ○ mod_auth_kerb ■ http://modauthkerb.sourceforge.net ○ mod_authnz_ldap ■ http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html ● NGINX ○ https://www.nginx.com/blog/nginx-plus-authenticate-users/ ● HaProxy ○ https://www.haproxy.com/documentation/aloha/9-5/packetshield/sso/ References
  • 20. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos and LDAP ● OpenLDAP: ○ https://www.openldap.org ● Microsoft: ○ https://msdn.microsoft.com/en-us/library/aa367008(v=vs.85).aspx ● Ubuntu: ○ https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html.en ○ https://help.ubuntu.com/lts/serverguide/openldap-server.html.en ● MIT: ○ https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html Kerberos with Wireshark and Tshark ● https://wiki.wireshark.org/Kerberos ● https://www.wireshark.org/docs/man-pages/tshark.html Kerberos is different ● Kerberos vs SSL/TLS ○ https://www.secureblackbox.com/kb/articles/6-Kerberos.rst ● Kerberos vs SPNEGO ○ https://developer.ibm.com/answers/questions/246107/what-is-the-difference-between-kerberos-and-spnego/ Kerberos GSS-API ● GNU Generic Security: ○ https://www.gnu.org/software/gss/manual/gss.html#GSS_002dAPI-Overview ● Oracle: ○ https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/index.html References
  • 21. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos and RFCs ● RFC 1510 The Kerberos Network Authentication Service (V5) [Obsolete] ● RFC 1964 The Kerberos Version 5 GSS-API Mechanism ● RFC 3961 Encryption and Checksum Specifications for Kerberos 5 ● RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5 ● RFC 4120 The Kerberos Network Authentication Service (V5) [Current] ● RFC 4121 The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 ● RFC 4537 Kerberos Cryptosystem Negotiation Extension ● RFC 4556 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) ● RFC 4557 Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) ● RFC 4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows [Obsolete] ● RFC 5021 Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP ● RFC 5349 Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) ● RFC 5868 Problem Statement on the Cross-Realm Operation of Kerberos ● RFC 5896 Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy ● RFC 6111 Additional Kerberos Naming Constraints ● RFC 6112 Anonymity Support for Kerberos ● RFC 6113 A Generalized Framework for Kerberos Pre-Authentication ● RFC 6251 Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol ● RFC 6448 The Unencrypted Form of Kerberos 5 KRB-CRED Message ● RFC 6542 Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Channel Binding Hash Agility ● RFC 6560 One-Time Password (OTP) Pre-Authentication ● RFC 6649 Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos ● RFC 6784 Kerberos Options for DHCPv6 ● RFC 6803 Camellia Encryption for Kerberos 5 ● RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals ● RFC 6880 An Information Model for Kerberos Version See https://en.wikipedia.org/wiki/Kerberos_(protocol) and https://datatracker.ietf.org/doc/search/?name=Kerberos&sort=&rfcs=on References