This document provides a high-level overview of how Kerberos authentication works. It explains that Kerberos uses a trusted third party called the Key Distribution Center (KDC) to mediate authentication between users and services. The KDC distributes session keys to allow communication and verifies users' identities through cryptographic operations. It also describes how Kerberos implements single sign-on through the use of ticket-granting tickets obtained from the KDC. Some advantages of Kerberos include strong authentication without sending passwords over the network and more convenient single sign-on for users.
Deeper understanding of how Kerberos works . This understanding will work as platform to understand various attacks on it. It also show cases how symmetric key algorithm is used for confidentiality. Some references are from shaun harris CISSP books, primarily the components slide
An introduction to Kerberos technology. Find out how the negotiation process works and why it is considered secure. Learn what are Kerberos realms, how Kerberos authentication works and how authorization process looks like. Look through all the use cases. See how Kerberos is being used in a classical setting and in the HTTP world with SPNEGO protocol.
Deeper understanding of how Kerberos works . This understanding will work as platform to understand various attacks on it. It also show cases how symmetric key algorithm is used for confidentiality. Some references are from shaun harris CISSP books, primarily the components slide
An introduction to Kerberos technology. Find out how the negotiation process works and why it is considered secure. Learn what are Kerberos realms, how Kerberos authentication works and how authorization process looks like. Look through all the use cases. See how Kerberos is being used in a classical setting and in the HTTP world with SPNEGO protocol.
Gives a basic idea of Finite field theory and its uses in Elliptic cure cryptography. ECDLP and Diffie Helman key exchange and Elgamal Encryption with ECC.
John DaSilva, Ping Identity
Scott Tomlinson, Ping Identity
A detailed overview of PingAccess, giving you insight into Ping Identity’s next-generation web access management solution to solve your access management challenges.
E-MAIL, IP & WEB SECURITY
E-mail Security: Security Services for E-mail-attacks possible through E-mail – establishing keys privacy-authentication of the source-Message Integrity-Non-repudiation-Pretty Good Privacy-S/MIME. IPSecurity: Overview of IPSec – IP and IPv6-Authentication Header-Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE Encoding). Web Security:
Elliptic Curve Cryptography for those who are afraid of mathsMartijn Grooten
A low level introduction into elliptic curve cryptography, as presented at BSides San Francisco 2016.
NB don't be put off by the 100 slides; every transition is on its own slide.
in this presentation their is the detailed information regarding Domain Name System that is DNS.
What is DNS,how it works,query, resolution wtc all are being covered thoroughly in this presentation as it would have in for all new upcoming Engineering students to know about the DNS as well as would also help employees to get the better understanding regarding the protocol.
The complete agenda of the presentation is to provide the detailed knowledge regarding dns as its the most basic protocol used in Web development.
Hope you would like it. If so please do like share and subscribe.
Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow
nodes communicating over a non-secure network to prove their identity to one another in a secure
manner. Its designers aimed it primarily at a client–server model and it provides mutual
authentication—both the user and the server verify each other's identity. Kerberos protocol messages
are protected against eavesdropping and replay attacks.
Gives a basic idea of Finite field theory and its uses in Elliptic cure cryptography. ECDLP and Diffie Helman key exchange and Elgamal Encryption with ECC.
John DaSilva, Ping Identity
Scott Tomlinson, Ping Identity
A detailed overview of PingAccess, giving you insight into Ping Identity’s next-generation web access management solution to solve your access management challenges.
E-MAIL, IP & WEB SECURITY
E-mail Security: Security Services for E-mail-attacks possible through E-mail – establishing keys privacy-authentication of the source-Message Integrity-Non-repudiation-Pretty Good Privacy-S/MIME. IPSecurity: Overview of IPSec – IP and IPv6-Authentication Header-Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE Encoding). Web Security:
Elliptic Curve Cryptography for those who are afraid of mathsMartijn Grooten
A low level introduction into elliptic curve cryptography, as presented at BSides San Francisco 2016.
NB don't be put off by the 100 slides; every transition is on its own slide.
in this presentation their is the detailed information regarding Domain Name System that is DNS.
What is DNS,how it works,query, resolution wtc all are being covered thoroughly in this presentation as it would have in for all new upcoming Engineering students to know about the DNS as well as would also help employees to get the better understanding regarding the protocol.
The complete agenda of the presentation is to provide the detailed knowledge regarding dns as its the most basic protocol used in Web development.
Hope you would like it. If so please do like share and subscribe.
Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow
nodes communicating over a non-secure network to prove their identity to one another in a secure
manner. Its designers aimed it primarily at a client–server model and it provides mutual
authentication—both the user and the server verify each other's identity. Kerberos protocol messages
are protected against eavesdropping and replay attacks.
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 1: Access Control
- Identity Management
- Centralised vs Decentralised Access Control
- Directories
- Single Sign-On
- Kerberos
- Kerberos Process
- Kerberos Weaknesses
- SESAME
Kerberos is a Network Protocol that uses Secret - key cryptography to authenticate client - server applications. It provides the difference between the Firewall and kerberos. And also this slides are gives the information about how does the Kerberos works in ticket granting service and in Application server. Kerberos are work Within networks and small sets of networks.
#SystemArchitecture Series: #Kerberos Architecture Component and communication flow #architecture
#Kerberos is a ticketing-based #authentication #system, based on the use of #symmetric keys. #Kerberos uses tickets to provide #authentication to resources instead of #passwords. This eliminates the threat of #password stealing via #networksniffing. One of the biggest benefits of #Kerberos is its ability to provide single sign-on (#SSO). Once you log into your #Kerberos environment, you will be automatically logged into other applications in the environment.
To help provide a secure environment, #Kerberos makes use of Mutual #Authentication. In Mutual #Authentication, both the #server and the #client must be authenticated. The client knows that the server can be trusted, and the server knows that the client can be trusted. This #authentication helps prevent man-in-the-middle attacks and #spoofing. #Kerberos is also time sensitive. The tickets in a #Kerberosenvironment must be renewed periodically or they will expire.
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
TLS/SSL - The mechanism enabling to have secured communications between 2 points over network is more important than ever. Here we deep dive into the basics and its relevance in today's world.
IPv6 Campus Deployment Updates panel; University of Pennsylvania (Shumon Huque), IIJ (Randy Bush), U of Hawaii (Alan Whinery) - Joint Techs Workshop; February 2010
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
An Introduction to Kerberos
1. 1
An Introduction to Kerberos
Shumon Huque
ISC Networking & Telecommunications
University of Pennsylvania
March 19th 2003
2. 2
What this talk is about
! A high-level view of how Kerberos works
! How Kerberos differs from some other
authentication systems
SSH password auth, SSH public key auth, SSL
! Target audience:
LSPs, computing staff, others?
3. 3
What this talk is not about
! Details of Penn’s Kerberos deployment plans
How to get PennKeys, which Kerberos enabled
applications do I need to use
! Writing Kerberized applications
! In-depth protocol details and packet formats
! Number Theory & Cryptography
4. 4
What is Kerberos?
! Developed at M.I.T.
! A secret key based service for providing
authentication in open networks
! Authentication mediated by a trusted 3rd
party on the network:
Key Distribution Center (KDC)
5. 5
Kerberos: etymology
! The 3-headed dog
that guards the
entrance to Hades
! Originally, the 3
heads represented
the 3 A’s
! But one A was work
enough!
7. 7
Fluffy, the 3 headed dog, from
“Harry Potter and the Sorcerers Stone”
8. 8
Some Kerberos benefits
! Standards based strong authentication system
! Wide support in various operating systems
! Make strong authentication readily available for use
with campus computer systems
! Prevents transmission of passwords over the network
! Provides “single-sign-on” capability
Only 1 password to remember
Only need to enter it once per day (typically)
9. 9
So, what is Authentication?
! The act of verifying someone’s identity
! The process by which users prove their
identity to a service
! Doesn’t specify what a user is allowed or not
allowed to do (Authorization)
10. 10
Password based Authentication
! Transmit password in clear over the network
to the server
! Main Problem
Eavesdropping/Interception
11. 11
Cryptographic Authentication
! No password or secret is transferred over the
network
! Users prove their identity to a service by
performing a cryptographic operation,usually
on a quantity supplied by the server
! Crypto operation based on user’s secret key
12. 12
Encryption and Decryption
! Encryption
Process of scrambling data using a cipher and a
key in such a way, that it’s intelligible only to the
recipient
! Decryption
Process of unscambling encrypted data using a
cipher and key (possibly the same key used to
encrypt the data)
13. 13
Symmetric Key Cryptography
! Aka, Secret Key cryptography
! The same key is used for both encryption and
decryption operations (symmetry)
! Examples: DES, 3-DES, AES
14. 14
Asymmetric Key Cryptography
! Aka Public key cryptography
! A pair of related keys are used:
Public and Private keys
Private key can’t be calculated from Public key
! Data encrypted with one can only be decrypted with
the other
! Usually, a user publishes his public key widely
Others use it to encrypt data intended for the user
User decrypts using the private key (known only to him)
! Examples: RSA
15. 15
Communicating Parties
! Alice and Bob
Alice: initiator of the communication
Think of her as the “client” or “user”
Bob: correspondent or 2nd participant
Think of him as the “server”
“Alice” wants to access service “Bob”
! Baddies:
Eve, Trudy, Mallory
18. 18
Problems with this scheme
! Poor scaling properties
! Generalizing the model for m users and n
services, requires a priori distribution of m x n
shared keys
! Possible improvement:
Use trusted 3rd party, with which each user and
service shares a secret key: m + n keys
Also has important security advantages
19. 19
Mediated Authentication
! A trusted third party mediates the
authentication process
! Called the Key Distribution Center (KDC)
! Each user and service shares a secret key
with the KDC
! KDC generates a session key, and securely
distributes it to communicating parties
! Communicating parties prove to each other
that they know the session key
20. 20
Mediated Authentication
! Nomenclature:
Ka = Master key for “alice”, shared by alice and the
KDC
Kab = Session key shared by “alice” and “bob”
Tb = Ticket to use “bob”
K{data} = “data” encrypted with key “K”
24. 24
Kerberos uses timestamps
! Timestamps as nonce’s are used in the
mutual authentication phase of the protocol
! This reduces the number of total messages in
the protocol
! But it means that Kerberos requires
reasonably synchronized clocks amongst the
users of the system
28. 28
Kerberos (detailed)
! Each user and service registers a secret key
with the KDC
! Everyone trusts the KDC
“Put all your eggs in one basket, and then watch
that basket very carefully” - Anonymous Mark
Twain
! The user’s key is derived from a password, by
applying a hash function
! The service key is a large random number,
and stored on the server
29. 29
Kerberos “principal”
! A client of the Kerberos authentication service
! A user or a service
! Format:
name/instance@REALM
! Examples:
peggy@UPENN.EDU
ftp/pobox.upenn.edu@UPENN.EDU
30. 30
Kerberos without TGS
! A simplified description of Kerberos without
the concept of a TGS (Ticket Granting
Service)
36. 36
Review: Kerberos Credentials
! Ticket
Allows user to use a service (actually authenticate to it)
Used to securely pass the identity of the user to which the
ticket is issued between the KDC and the application server
Kb{“alice”, Kab, lifetime}
! Authenticator
Proves that the user presenting the ticket is the user to
which the ticket was issued
Proof that user knows the session key
Prevents ticket theft from being useful
Prevents replay attacks (timestamp encrypted with the
session key): Kab{timestamp}, in combination with a replay
cache on the server
40. 40
Kerberos with TGS
! Ticket Granting Service (TGS):
A Kerberos authenticated service, that allows user to obtain
tickets for other services
Co-located at the KDC
! Ticket Granting Ticket (TGT):
Ticket used to access the TGS and obtain service tickets
! Limited-lifetime session key: TGS sessionkey
Shared by user and the TGS
! TGT and TGS session-key cached on Alice’s
workstation
41. 41
TGS Benefits
! Single Sign-on (SSO) capability
! Limits exposure of user’s password
Alice’s workstation can forget the password
immediately after using it in the early stages of the
protocol
Less data encrypted with the user’s secret key
travels over the network, limiting attacker’s access
to data that could be used in an offline dictionary
attack
46. 46
Levels of Session Protection
! Initial Authentication only
! Safe messages:
Authentication of every message
Keyed hashing with session key
! Private messages:
+ Encryption of every message
With session key, or mutually negotiated subsession keys
! Note: Application can choose other methods
47. 47
Pre-authentication
! Kerberos 5 added pre-authentication
Client is required to prove it’s identity to the
Kerberos AS in the first step
By supplying an encrypted timestamp (encrypted
with users secret key)
This prevents an active attacker being able to
easily obtain data from the KDC encrypted with
any user’s key
Then able to mount an offline dictionary attack
49. 49
Kerberos & Two-factor auth
! In addition to a secret password, user is
required to present a physical item:
A small electronic device: h/w authentication token
Generates non-reusable numeric responses
! Called 2-factor authentication, because it
requires 2 things:
Something the user knows (password)
Something the user has (hardware token)
52. 52
Kerberos and PubKey Crypto
! Proposed enhancements
Public key crypto for Initial Authentication
“PKINIT”
Public key crypto for Cross-realm Authentication
“PKCROSS”
53. 53
Kerberos: summary
! Authentication method:
User’s enter password on local machine only
Authenticated via central KDC once per day
No passwords travel over the network
! Single Sign-on (via TGS):
KDC gives you a special “ticket”, the TGT, usually
good for rest of the day
TGT can be used to get other service tickets
allowing user to access them (when presented
along with authenticators)
54. 54
Advantages of Kerberos (1)
! Passwords aren’t exposed to eavesdropping
! Password is only typed to the local workstation
It never travels over the network
It is never transmitted to a remote server
! Password guessing more difficult
! Single Sign-on
More convenient: only one password, entered once
Users may be less likely to store passwords
! Stolen tickets hard to reuse
Need authenticator as well, which can’t be reused
! Much easier to effectively secure a small set of
limited access machines (the KDC’s)
55. 55
Advantages of Kerberos (2)
! Easier to recover from host compromises
! Centralized user account administration
56. 56
Kerberos caveats
! Kerberos server can impersonate anyone
! KDC is a single point of failure
Can have replicated KDC’s
! KDC could be a performance bottleneck
Everyone needs to communicate with it frequently
Not a practical concern these days
Having multiple KDC’s alleviates the problem
! If local workstation is compromised, user’s password
could be stolen by a trojan horse
Only use a desktop machine or laptop that you trust
Use hardware token pre-authentication
57. 57
Kerberos caveats (2)
! Kerberos vulnerable to password guessing attacks
Choose good passwords!
Use hardware pre-authentication
Hardware tokens, Smart cards etc
58. 58
References
! Kerberos: An Authentication Service for Open Network
Systems
Steiner, Neuman, Schiller, 1988, Winter USENIX
! Kerberos: An Authentication Service for Computer
Networks
Neuman and Ts’o, IEEE Communications, Sep 1994
! A Moron’s guide to Kerberos - Brian Tung
http://www.isi.edu/gost/brian/security/kerberos.html
! Designing an Authentication System: A Dialogue in
Four Scenes
Bill Bryant, 1988
http://web.mit.edu/kerberos/www/dialogue.html
59. 59
References (cont)
! RFC 1510: The Kerberos Network Authentication
Service (v5)
Kohl and Neuman, September 1993
! draft-ietf-krb-wg-kerberos-clarifications-03.txt
IETF Kerberos Working Group: rfc1510 revision
! Using Encryption for Authentication in Large Networks
of Computers
Roger Needham, Michael D. Schroeder
CACM, Volume 21, December 1978, pp 993-999