This document provides an overview of Kerberos, including:
- Kerberos is an authentication protocol that uses symmetric encryption and timestamps to allow nodes communicating over an insecure network to verify each other's identity securely.
- It works by having a client first authenticate with an authentication server to obtain a ticket-granting ticket, then uses that ticket to obtain additional tickets for access to other services.
- Kerberos addresses the need for secure authentication in distributed network environments where the workstations themselves cannot be fully trusted.
Kerberos is a network authentication protocol that uses "tickets" to allow nodes on a non-secure network to prove their identity to one another securely. It provides mutual authentication and is protected against eavesdropping and replay attacks. Kerberos uses a central authentication server and ticket granting services to authenticate clients and allow them secure access to other services on the network. However, Kerberos has some limitations such as being vulnerable if the central authentication server is compromised.
Password cracking is a technique used to recover passwords through either guessing or using tools to systematically check all possible combinations of characters. Brute force cracking involves trying every possible combination of characters while dictionary attacks use common words and permutations. Cracking can be done offline by accessing a stored hash of the password or online by attempting login repeatedly. Strong passwords are long, complex, and unique for each account to prevent cracking.
This document provides a summary of key concepts related to web application technologies. It discusses HTTP and HTTP requests/responses, including common headers. It also covers client-side technologies like HTML, CSS, JavaScript, and how they interact with the server via HTTP. On the server-side, it discusses programming languages and frameworks like Java, ASP.NET, PHP, and common databases. It also covers concepts like cookies, sessions, and different encoding schemes used to transmit data.
This document summarizes a seminar presentation on public key infrastructure (PKI). It discusses key concepts of PKI including digital signatures, certificates, validation, revocation, and the roles of certification authorities. The presentation covers how asymmetric encryption, hashing, and digital signatures enable secure authentication and authorization in a PKI. It also examines the entities, operations, and technologies involved in implementing and managing a PKI, such as certificate authorities, registration authorities, key generation and storage, and certification revocation lists.
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
This document provides an introduction to Security Assertion Markup Language (SAML) 2.0, including:
- SAML is an XML-based standard for exchanging authentication and authorization data between parties like an identity provider and service provider.
- It defines roles like identity providers, service providers, and users.
- SAML supports single sign-on, attribute sharing, identity federation, and other use cases through protocols, bindings, and profiles.
- Liferay supports acting as an identity provider or service provider using SAML through an enterprise edition plugin, allowing configuration as an IdP or SP through properties and metadata files.
- The presentation demonstrates SAML single sign-on flows and configurations using examples
This document provides an overview of Kerberos, including:
- Kerberos is an authentication protocol that uses symmetric encryption and timestamps to allow nodes communicating over an insecure network to verify each other's identity securely.
- It works by having a client first authenticate with an authentication server to obtain a ticket-granting ticket, then uses that ticket to obtain additional tickets for access to other services.
- Kerberos addresses the need for secure authentication in distributed network environments where the workstations themselves cannot be fully trusted.
Kerberos is a network authentication protocol that uses "tickets" to allow nodes on a non-secure network to prove their identity to one another securely. It provides mutual authentication and is protected against eavesdropping and replay attacks. Kerberos uses a central authentication server and ticket granting services to authenticate clients and allow them secure access to other services on the network. However, Kerberos has some limitations such as being vulnerable if the central authentication server is compromised.
Password cracking is a technique used to recover passwords through either guessing or using tools to systematically check all possible combinations of characters. Brute force cracking involves trying every possible combination of characters while dictionary attacks use common words and permutations. Cracking can be done offline by accessing a stored hash of the password or online by attempting login repeatedly. Strong passwords are long, complex, and unique for each account to prevent cracking.
This document provides a summary of key concepts related to web application technologies. It discusses HTTP and HTTP requests/responses, including common headers. It also covers client-side technologies like HTML, CSS, JavaScript, and how they interact with the server via HTTP. On the server-side, it discusses programming languages and frameworks like Java, ASP.NET, PHP, and common databases. It also covers concepts like cookies, sessions, and different encoding schemes used to transmit data.
This document summarizes a seminar presentation on public key infrastructure (PKI). It discusses key concepts of PKI including digital signatures, certificates, validation, revocation, and the roles of certification authorities. The presentation covers how asymmetric encryption, hashing, and digital signatures enable secure authentication and authorization in a PKI. It also examines the entities, operations, and technologies involved in implementing and managing a PKI, such as certificate authorities, registration authorities, key generation and storage, and certification revocation lists.
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
This document provides an introduction to Security Assertion Markup Language (SAML) 2.0, including:
- SAML is an XML-based standard for exchanging authentication and authorization data between parties like an identity provider and service provider.
- It defines roles like identity providers, service providers, and users.
- SAML supports single sign-on, attribute sharing, identity federation, and other use cases through protocols, bindings, and profiles.
- Liferay supports acting as an identity provider or service provider using SAML through an enterprise edition plugin, allowing configuration as an IdP or SP through properties and metadata files.
- The presentation demonstrates SAML single sign-on flows and configurations using examples
Port scanning involves sending packets to ports on a target system to discover which ports are open and may be exploited. There are several common port scanning techniques like TCP connect scanning, SYN scanning, FIN scanning, and UDP scanning. Port scanners try to avoid detection by scanning slowly, spoofing packets, or fragmenting packets. Systems can detect port scans through signatures like many connections to different ports from the same source in a short time.
The Secure Inter-branch Payment Transactions case study describes the current electronic payment system used by General Bank of India to transfer funds between branches, which utilizes a central server but lacks strong security. Improvements are needed to add encryption, digital signatures for non-repudiation, and a public key infrastructure to securely distribute keys. Cryptographic toolkits and smart cards could also be incorporated into the system to enhance security of financial transactions transmitted over the private network.
This document discusses various aspects of web security, including the need for security when transmitting data over the internet, common security measures like authentication, authorization, encryption, and accountability. It describes techniques for securing web applications such as SSL, firewalls, VPNs. It provides details on authentication methods like basic authentication and form-based authentication. It also explains concepts like SSL certificates, VPN types, and how firewalls and SSL work.
This document summarizes encryption techniques for securing electronic mail. It describes Pretty Good Privacy (PGP), a popular encryption software, and S/MIME, an emerging industry standard. PGP provides authentication, confidentiality, compression, and other services. It segments long messages for transmission. S/MIME uses public-key encryption and certificates to provide encrypted and signed messages and is compatible with SMTP email.
Real Attacks on Blockchain Systems & CountermeasuresNUS-ISS
In this talk, the speaker will survey the security attacks on blockchain and compartmentalise attacks that are generic to IT systems, singling out real attacks specific to blockchain and their countermeasures.
Chair: Simon Cooper, trust and identity services group manager, Jisc.
How to solve the top five network challenges for higher education in 2017
Speaker: Martin Wellsted, regional manager northern territory, Efficient IP.
This session will focus on the new network challenges schools and universities face as competition for enrollment and reputation increases, budgets tighten, and the onslaught of Internet of Things and BYOD continue.
Practical solutions to security, IP address management, and process automation problems will be discussed.
This document discusses recommendations for securing an Active Directory environment. It recommends a single forest single domain architecture by default, but acknowledges exceptions may exist. It introduces a tier model for access control and recommends restricting privilege escalation through measures like privileged access workstations and assessing AD security. It also recommends restricting lateral movement, implementing attack detection solutions, and preparing the organization through strategic planning and technical education.
Attacker's Perspective of Active DirectorySunny Neo
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
Network Analysis Using Wireshark Jan 18- seminar Yoram Orzach
Lesson objective:
By the end of this lesson you will:
Get an approach to network troubleshooting
Understand the wireshark software
understand how to use wireshark for network protocols troubleshooting
Kerberos is a network authentication protocol that was developed at MIT in the 1980s to allow nodes communicating over an insecure network to verify each other's identity. It uses tickets and session keys to allow clients and servers to communicate over a non-secure network and establish the identity of the users and servers. The Kerberos authentication process involves three main exchanges between the client, authentication server (KDC), and target server to authenticate users and allow access to services.
This document discusses lightweight cryptography. It begins by defining lightweight cryptography as cryptographic primitives designed for devices with limited resources like memory, speed and power consumption. It then outlines various lightweight cryptographic mechanisms like block ciphers, hash functions, stream ciphers and authenticated ciphers. For each mechanism, it discusses their desirable properties and design principles. It also discusses implementation issues like decryption costs and resistance to related key attacks. Finally, it mentions the Fair Evaluation of Lightweight Cryptographic Systems (FELICS) benchmarking tool for evaluating and comparing the performance of lightweight cryptographic algorithms on different platforms.
Authentication(pswrd,token,certificate,biometric)Ali Raw
Authentication refers to confirming the identity of a person or entity. There are three main categories of authentication: what you know (e.g. passwords), what you have (e.g. tokens, certificates), and who you are (biometrics). Common types of authentication include password-based using user IDs and passwords, certificate-based using digital certificates, token-based using devices that generate random codes, and biometric-based using unique human characteristics like fingerprints. Each type involves validating identity by verifying identifying information against stored credentials through an authentication process.
This document provides an overview of Kerberos, an authentication protocol used to securely identify clients within a non-secure network. It discusses Kerberos' design which includes clients, a Key Distribution Center (KDC) consisting of an authentication and ticket granting server, and services. It also defines common Kerberos terms and describes how Kerberos works by having the KDC issue tickets to allow clients access to services. Key features of Kerberos include centralized credential management and reduced protocol weaknesses. A limitation is that compromising the KDC puts the entire infrastructure at risk.
This document discusses injection vulnerabilities like SQL, XML, and command injection. It provides examples of how injection occurs by mixing commands and data, including accessing unauthorized data or escalating privileges. The speaker then discusses ways to prevent injection, such as validating all user input, using prepared statements, adopting secure coding practices, and implementing web application firewalls. The key message is that applications should never trust user input and adopt defense in depth techniques to prevent injection vulnerabilities.
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_S18.shtml
This document summarizes a study on analyzing password strength through support vector machines. It introduces password strength and support vector machines. Features are extracted from passwords, like length, mixture of characters. A support vector machine is trained on these features to classify passwords as very weak, weak, moderate, strong or very strong. The system aims to help organizations enforce stronger password policies and improve security.
This document discusses secure session management and common session security issues. It explains that capturing a user's session allows an attacker to act as that user. Sessions need to be properly terminated on logout to prevent replay attacks. Weaknesses like cookies set before authentication, non-random session IDs, and failing to remove sessions on logout can enable session hijacking. The document provides guidelines for generating secure random session IDs, setting cookies only after authentication, removing sessions on logout, and using HTTPS to mitigate these risks.
Empower Your Security Practitioners with Elastic SIEMElasticsearch
Learn how Elastic SIEM’s latest capabilities enable interactive exploration and automated analysis — all at the speed and scale your security practitioners need to defend your organization.
See the video: https://www.elastic.co/elasticon/tour/2019/washington-dc/empower-your-security-practitioners-with-elastic-siem
Port scanning involves sending packets to ports on a target system to discover which ports are open and may be exploited. There are several common port scanning techniques like TCP connect scanning, SYN scanning, FIN scanning, and UDP scanning. Port scanners try to avoid detection by scanning slowly, spoofing packets, or fragmenting packets. Systems can detect port scans through signatures like many connections to different ports from the same source in a short time.
The Secure Inter-branch Payment Transactions case study describes the current electronic payment system used by General Bank of India to transfer funds between branches, which utilizes a central server but lacks strong security. Improvements are needed to add encryption, digital signatures for non-repudiation, and a public key infrastructure to securely distribute keys. Cryptographic toolkits and smart cards could also be incorporated into the system to enhance security of financial transactions transmitted over the private network.
This document discusses various aspects of web security, including the need for security when transmitting data over the internet, common security measures like authentication, authorization, encryption, and accountability. It describes techniques for securing web applications such as SSL, firewalls, VPNs. It provides details on authentication methods like basic authentication and form-based authentication. It also explains concepts like SSL certificates, VPN types, and how firewalls and SSL work.
This document summarizes encryption techniques for securing electronic mail. It describes Pretty Good Privacy (PGP), a popular encryption software, and S/MIME, an emerging industry standard. PGP provides authentication, confidentiality, compression, and other services. It segments long messages for transmission. S/MIME uses public-key encryption and certificates to provide encrypted and signed messages and is compatible with SMTP email.
Real Attacks on Blockchain Systems & CountermeasuresNUS-ISS
In this talk, the speaker will survey the security attacks on blockchain and compartmentalise attacks that are generic to IT systems, singling out real attacks specific to blockchain and their countermeasures.
Chair: Simon Cooper, trust and identity services group manager, Jisc.
How to solve the top five network challenges for higher education in 2017
Speaker: Martin Wellsted, regional manager northern territory, Efficient IP.
This session will focus on the new network challenges schools and universities face as competition for enrollment and reputation increases, budgets tighten, and the onslaught of Internet of Things and BYOD continue.
Practical solutions to security, IP address management, and process automation problems will be discussed.
This document discusses recommendations for securing an Active Directory environment. It recommends a single forest single domain architecture by default, but acknowledges exceptions may exist. It introduces a tier model for access control and recommends restricting privilege escalation through measures like privileged access workstations and assessing AD security. It also recommends restricting lateral movement, implementing attack detection solutions, and preparing the organization through strategic planning and technical education.
Attacker's Perspective of Active DirectorySunny Neo
This document provides an overview of attack methodologies from an attacker's perspective when targeting Active Directory environments. It discusses initial access techniques, privilege escalation to domain admin rights, maintaining situational awareness through techniques like password spraying and Kerberoasting, and lateral movement tactics like pass the hash and pass the ticket. It also provides mitigation strategies and detection opportunities for defenders.
Network Analysis Using Wireshark Jan 18- seminar Yoram Orzach
Lesson objective:
By the end of this lesson you will:
Get an approach to network troubleshooting
Understand the wireshark software
understand how to use wireshark for network protocols troubleshooting
Kerberos is a network authentication protocol that was developed at MIT in the 1980s to allow nodes communicating over an insecure network to verify each other's identity. It uses tickets and session keys to allow clients and servers to communicate over a non-secure network and establish the identity of the users and servers. The Kerberos authentication process involves three main exchanges between the client, authentication server (KDC), and target server to authenticate users and allow access to services.
This document discusses lightweight cryptography. It begins by defining lightweight cryptography as cryptographic primitives designed for devices with limited resources like memory, speed and power consumption. It then outlines various lightweight cryptographic mechanisms like block ciphers, hash functions, stream ciphers and authenticated ciphers. For each mechanism, it discusses their desirable properties and design principles. It also discusses implementation issues like decryption costs and resistance to related key attacks. Finally, it mentions the Fair Evaluation of Lightweight Cryptographic Systems (FELICS) benchmarking tool for evaluating and comparing the performance of lightweight cryptographic algorithms on different platforms.
Authentication(pswrd,token,certificate,biometric)Ali Raw
Authentication refers to confirming the identity of a person or entity. There are three main categories of authentication: what you know (e.g. passwords), what you have (e.g. tokens, certificates), and who you are (biometrics). Common types of authentication include password-based using user IDs and passwords, certificate-based using digital certificates, token-based using devices that generate random codes, and biometric-based using unique human characteristics like fingerprints. Each type involves validating identity by verifying identifying information against stored credentials through an authentication process.
This document provides an overview of Kerberos, an authentication protocol used to securely identify clients within a non-secure network. It discusses Kerberos' design which includes clients, a Key Distribution Center (KDC) consisting of an authentication and ticket granting server, and services. It also defines common Kerberos terms and describes how Kerberos works by having the KDC issue tickets to allow clients access to services. Key features of Kerberos include centralized credential management and reduced protocol weaknesses. A limitation is that compromising the KDC puts the entire infrastructure at risk.
This document discusses injection vulnerabilities like SQL, XML, and command injection. It provides examples of how injection occurs by mixing commands and data, including accessing unauthorized data or escalating privileges. The speaker then discusses ways to prevent injection, such as validating all user input, using prepared statements, adopting secure coding practices, and implementing web application firewalls. The key message is that applications should never trust user input and adopt defense in depth techniques to prevent injection vulnerabilities.
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_S18.shtml
This document summarizes a study on analyzing password strength through support vector machines. It introduces password strength and support vector machines. Features are extracted from passwords, like length, mixture of characters. A support vector machine is trained on these features to classify passwords as very weak, weak, moderate, strong or very strong. The system aims to help organizations enforce stronger password policies and improve security.
This document discusses secure session management and common session security issues. It explains that capturing a user's session allows an attacker to act as that user. Sessions need to be properly terminated on logout to prevent replay attacks. Weaknesses like cookies set before authentication, non-random session IDs, and failing to remove sessions on logout can enable session hijacking. The document provides guidelines for generating secure random session IDs, setting cookies only after authentication, removing sessions on logout, and using HTTPS to mitigate these risks.
Empower Your Security Practitioners with Elastic SIEMElasticsearch
Learn how Elastic SIEM’s latest capabilities enable interactive exploration and automated analysis — all at the speed and scale your security practitioners need to defend your organization.
See the video: https://www.elastic.co/elasticon/tour/2019/washington-dc/empower-your-security-practitioners-with-elastic-siem
An overview of how electronic signature objects are generated and used within PDF documents including the overview of Aodbe LiveCycle ES's ability to programmatically work with them server side.
Is It Safe? Security Hardening for Databases Using Kubernetes OperatorsDoKC
Is It Safe? Security Hardening for Databases Using Kubernetes Operators - Robert Hodges, Altinity
Thanks to the Operator Pattern, Kubernetes is now an outstanding platform to run databases. But to quote Marathon Man, "is it safe?" This talk is a top-level review of the database security problem in Kubernetes, standard ways that operators can mitigate threats, and a wallet-sized checklist of security features you should look for in any operator you use. Our talk is practical and focused on needs of Kubernetes developers. Join us!
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
Cilium provides network security and visibility for microservices. It uses eBPF/XDP to provide fast and scalable networking and security controls at layers 3-7. Key features include identity-based firewalling, load balancing, and mutual TLS authentication between services. It integrates with Kubernetes to apply network policies using standard Kubernetes resources and custom CiliumNetworkPolicy resources for finer-grained control.
This document discusses how Citrix Application Delivery Management (ADM) can be used to manage Citrix ADC instances at scale in cloud-native environments. Key points include:
- Citrix ADM allows controlling and gaining insights from one to thousands of Citrix ADC instances (VPX, MPX, CPX), across container platforms like Mesos/Marathon and Kubernetes.
- Metadata from Citrix ADCs provides valuable information to Citrix ADM for an "App Health Score", including user experience metrics, security threats, and device health.
- Citrix ADM provides capabilities for app-centric lifecycles, configuration at scale, visibility, and security across Citrix ADC instances.
This document contains a presentation on Active Directory reconnaissance. It begins with an introduction to Active Directory, its purpose and components. It then covers various techniques for reconnaissance of Active Directory including gathering DHCP, DNS, LDAP metadata and NetBIOS information. Username enumeration methods like null sessions, Kerberos and tools like enum4linux are discussed. Password brute-forcing techniques using SMB, RDP, Kerberos and the ADRecon tool are also summarized. The presentation concludes with a demo of the ADRecon tool.
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
This presentation gives a quick technical overview of what Hyperledger Fabric is about and how to get started using it to develop a blockchain application.
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?
This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!
Some of the topics covered:
How attackers go from zero to (Domain) Admin
MS14-068: the vulnerability, the exploit, and the danger
"SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.)
Exploiting weak service account passwords as a regular AD user
Mimikatz, the attacker's multi-tool
Using Silver Tickets for stealthy persistence that won’t be detected (until now)
Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
Detecting offensive PowerShell tools like Invoke-Mimikatz
Active Directory attack mitigation
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.
Cilium:: Application-Aware Microservices via BPFCynthia Thomas
Intro to Cilium Microservices Security with Kubernetes Integration
Open Source Cilium website: cilium.io
GH: github.com/cilium/cilium
Join our Slack! cilium.herokuapp.com
Follow us on Twitter!
@ciliumproject
@_techcet_
Kubernetes deployment on bare metal with container linuxmacchiang
This document discusses deploying Kubernetes on bare metal servers using Container Linux (CoreOS). It describes why bare metal and Container Linux are used, how to deploy the Kubernetes control plane and worker nodes, and how to configure Kubernetes components. The deployment uses CoreOS, etcd, flannel, and TLS assets to set up a highly available Kubernetes cluster on bare metal servers without virtualization. Matchbox can also be used for provisioning nodes by generating Ignition configs from profiles, groups and templates.
The document discusses monitoring Kubernetes clusters using Prometheus and Grafana. It describes how Prometheus scrapes metrics using exporters like Node Exporter and stores them in a time series database. Grafana is used to build dashboards and visualize the metrics collected by Prometheus. It provides configuration details for deploying Prometheus, Node Exporter, and Grafana as Kubernetes deployments and accessing the services.
This document contains a professional summary and experience details of Chaitra Shankar. The summary includes that Chaitra has 6 years of experience in C programming and software engineering, 4 years experience in development and technical support of SSL protocol on Linux, and 2 years 8 months experience in security applications using C, IPsec, Kerberos and PKI on Linux. The experience section lists 3 previous roles as senior software engineer with increasing durations from July 2007 to January 2013. Technical skills, projects undertaken, education qualifications and contact details are also included.
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
This document provides an overview of modern Active Directory attacks and defenses. It discusses how red teams use tools like Mimikatz and Kerberoasting to escalate privileges by cracking service account passwords and dumping domain credentials from Domain Controllers. It also outlines blue team defenses like LAPS, advanced auditing, and tools like Microsoft Advanced Threat Analytics to detect these attacks. The goal is to help security professionals understand both offensive techniques and defensive best practices for securing Active Directory environments.
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQueryMárton Kodok
Teaser: provide developers a new way of understanding advanced analytics and choosing the right cloud architecture
The new buzzword is #serverless, as there are many great services that helps us abstract away the complexity associated with managing servers. In this session we will see how serverless helps on large data analytics backends.
We will see how to architect for Cloud and implement into an existing project components that will take us into the #serverless architecture that will ingest our streaming data, run advanced analytics on petabytes of data using BigQuery on Google Cloud Platform - all this next to an existing stack, without being forced to reengineer our app.
BigQuery enables super-fast, SQL/Javascript queries against petabytes of data using the processing power of Google’s infrastructure. We will cover its core features, SQL 2011 standard, working with streaming inserts, User Defined Functions written in Javascript, reference external JS libraries, and several use cases for everyday backend developer: funnel analytics, email heatmap, custom data processing, building dashboards, extracting data using JS functions, emitting rows based on business logic.
This document discusses various topics related to cloud native orchestration using Kubernetes including:
- Network transformation and deployment models for Kubernetes
- Kubernetes networking and resource management features
- Device plugin overview and Intel QuickAssist Technology device plugin
- Considerations for containers networking deployments in multiple environments
- Solutions developed by Intel to address challenges in Kubernetes like resource management, platform awareness, and network acceleration.
Slides for the PromCon presentation "Securing Prometheus. Lessons Learned From OpenShift"
https://promcon.io/2022-munich/talks/securing-prometheus-lessons-lear/
Similar to MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo (20)
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsVictor Morales
K8sGPT is a tool that analyzes and diagnoses Kubernetes clusters. This presentation was used to share the requirements and dependencies to deploy K8sGPT in a local environment.
Batteries -Introduction – Types of Batteries – discharging and charging of battery - characteristics of battery –battery rating- various tests on battery- – Primary battery: silver button cell- Secondary battery :Ni-Cd battery-modern battery: lithium ion battery-maintenance of batteries-choices of batteries for electric vehicle applications.
Fuel Cells: Introduction- importance and classification of fuel cells - description, principle, components, applications of fuel cells: H2-O2 fuel cell, alkaline fuel cell, molten carbonate fuel cell and direct methanol fuel cells.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEMHODECEDSIET
Time Division Multiplexing (TDM) is a method of transmitting multiple signals over a single communication channel by dividing the signal into many segments, each having a very short duration of time. These time slots are then allocated to different data streams, allowing multiple signals to share the same transmission medium efficiently. TDM is widely used in telecommunications and data communication systems.
### How TDM Works
1. **Time Slots Allocation**: The core principle of TDM is to assign distinct time slots to each signal. During each time slot, the respective signal is transmitted, and then the process repeats cyclically. For example, if there are four signals to be transmitted, the TDM cycle will divide time into four slots, each assigned to one signal.
2. **Synchronization**: Synchronization is crucial in TDM systems to ensure that the signals are correctly aligned with their respective time slots. Both the transmitter and receiver must be synchronized to avoid any overlap or loss of data. This synchronization is typically maintained by a clock signal that ensures time slots are accurately aligned.
3. **Frame Structure**: TDM data is organized into frames, where each frame consists of a set of time slots. Each frame is repeated at regular intervals, ensuring continuous transmission of data streams. The frame structure helps in managing the data streams and maintaining the synchronization between the transmitter and receiver.
4. **Multiplexer and Demultiplexer**: At the transmitting end, a multiplexer combines multiple input signals into a single composite signal by assigning each signal to a specific time slot. At the receiving end, a demultiplexer separates the composite signal back into individual signals based on their respective time slots.
### Types of TDM
1. **Synchronous TDM**: In synchronous TDM, time slots are pre-assigned to each signal, regardless of whether the signal has data to transmit or not. This can lead to inefficiencies if some time slots remain empty due to the absence of data.
2. **Asynchronous TDM (or Statistical TDM)**: Asynchronous TDM addresses the inefficiencies of synchronous TDM by allocating time slots dynamically based on the presence of data. Time slots are assigned only when there is data to transmit, which optimizes the use of the communication channel.
### Applications of TDM
- **Telecommunications**: TDM is extensively used in telecommunication systems, such as in T1 and E1 lines, where multiple telephone calls are transmitted over a single line by assigning each call to a specific time slot.
- **Digital Audio and Video Broadcasting**: TDM is used in broadcasting systems to transmit multiple audio or video streams over a single channel, ensuring efficient use of bandwidth.
- **Computer Networks**: TDM is used in network protocols and systems to manage the transmission of data from multiple sources over a single network medium.
### Advantages of TDM
- **Efficient Use of Bandwidth**: TDM all
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Sinan KOZAK
Sinan from the Delivery Hero mobile infrastructure engineering team shares a deep dive into performance acceleration with Gradle build cache optimizations. Sinan shares their journey into solving complex build-cache problems that affect Gradle builds. By understanding the challenges and solutions found in our journey, we aim to demonstrate the possibilities for faster builds. The case study reveals how overlapping outputs and cache misconfigurations led to significant increases in build times, especially as the project scaled up with numerous modules using Paparazzi tests. The journey from diagnosing to defeating cache issues offers invaluable lessons on maintaining cache integrity without sacrificing functionality.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
Literature Review Basics and Understanding Reference Management.pptx
MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo
1. Kerberos - Protocol for Authentication & Authorization
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers
MIT Kerberos
2. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Implementation / OS Linux Windows MacOS
MIT Kerberos
Active Directory
Heimdal
MIT Kerberos where
MIT
MIT Kerberos is project written in C since 1980s.
Open Source and Free: https://github.com/krb5/krb5
Last release: 1.16.1 (2018-05-03)
MIT License
Official Website | Tutorial | Documentation | Guide
Distribution | Release Linux | Historic
RFC | CVE | FAQ
MIT Kerberos
Kerberos (V5) is network authentication and authorization protocol with several implementations.
"Kerberos allows to secure communications on untrusted networks but where each node is trusted"
3. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Kerberos Features
Features
● Kerberos is in place, mature, and stable and performant with symmetrical key
● Mutual authentication, integrity and confidentiality of communication
● Protected against eavesdropping and replay attacks
● No exposed Passwords, it should never be exposed during authentication (no password in code, call network or log ...)
● Not only HTTP but can secure other communication channels (SSH, login, ….)
● Largely implemented in each service (client and kerberized server) and libraries to kerberized services
Kerberos secret = Metadata + Kerberos key
Metadata = [ kvno, issue time, encryption, principal ]
Kerberos key = getKey(password, salt, encryption)
Keytabs = container(Kerberos key with Metadata)
in binary file with right permission (owner +0400)
and not encrypted.
Authenticator = { PrincipalClient
, Timestamp }KClient
Ticket-Granting Ticket (TGT) = authentication credential
Service Ticket-Granting (SGT) = authorization credential
Principal = Kerberos entity (User or Service Principal Name)
"Kerberos is primarily used over internal LANs to authenticate users."
SSO
client
service
service
service
Single Sign-On (SSO)
● One authentication to access to group of services.
● Ticket system where long term secrets generate
short term secrets.
4. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Client (C)
Service (S)
Authentication Server
(AS)
Ticket Granting Server
(TGS)
Key Distribution Center (KDC)
database
AS
AS
Install your KDC:
● create master key
● create your kerberos realm
● configuration
Install Kerberos clients:
● configuration
krb5.conf
krb5.conf
kdc.conf
Kerberos Environment
Kerberos
authentication
Kerberos
Server
Kerberos
client
Kerberos
client
1
Setup
C
S
Creation principals in Kerberos database
2
Provisioning
kerberos configuration
kerberos key
C
S
Deployment on each kerberos client:
● keytabs 3
Secret
deployment
keytab
keytab
Kerberos secrets
5. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
keytab
Client (C)
Service (S)
Authentication Server
(AS)
Ticket Granting Server
(TGS)
Key Distribution Center (KDC)
database
C
AS
S
replay
cache
credentials
cache
C S
replay
cache
AS
Kerberos Workflow for Authentication
(3) bis
(3)bis Try to connect to the service but it reclaims Kerberos authentication
and TGS Ticket.
TGS
session
Client and Authentication Server
(1). clear plaintext request for a Ticket Granting Ticket (TGT) with
pre-authentication (should be configured) and authenticator request
(2). user ID lookup in KDC
(3). 2 messages:
- A: TGT (encrypted by AS secret key principal krbtgt/*)
- B: TGS session key (encrypted by client secret key)(1)
(3)
(2)
TGS
session
1
AS_REQUEST,
AS_REPLY
1
Service
session
(6)
(5)
(4)
Client and Ticket Granting Server
(4). 3 messages:
- C: authenticator request (encrypted by TGS Session Key)
- D: clear plaintext request for access Service
- E: TGT
(5). Service lookup in KDC
(6). 2 messages :
F: Service Session Key (encrypted by TGS Session Key)
G: Ticket for Service (encrypted by Service Secret Key)
2
TGS_REQUEST,
TGS_REPLY
2
(9)
(8)
(7)
Service
session
Client and Service
(7). 2 messages:
H: authenticator request (encrypted by Service Session Key)
I: Ticket for Service (encrypted by Service Secret Key)
(8). 1 message:
J: Confirmation of Service identity (encrypted by Service Session Key)
(9). Exchange messages with Service Ticket
3
AP_REQUEST,
AP_REPLY
3
Service
session
TGT
SGT
keytab
Kerberos secrets
6. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
REALM A
UPN: An entity performing client requests to some
service. Human or machine.
SPN: An entity processing requests for a specific
service (HTTP, LDAP, SSH …). Machine only.
Trust unilateral: REALM A → REALM B
Trust bilateral: REALM B ← → REALM C
User Principal Name (UPN):
user@REALM
Service Principal Name (SPN):
service/fqdn@REALM
trust unilateral trust bilateral
REALM C
REALM B
Kerberos Realm and Trust for Authorization
7. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Blackbox
exporter
Grafana
collectd/kerberos
exporter
Kerberos
Probe
Health checks Basis metricsTGT & TGS
prometheus
consul
dashboard
for visualisation
elastic search
Logs
Rsyslog
kibana
wireshark
Network Traces
Alertmanager
email page duty slack
Kerberos Monitoring @Criteo
kadmind:749 kpasswd:464
kpropd:754 krb5kdc:88
8. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Discovery
DNS + Consul
Clock synchronisation
NTP
Backup
Storage
Log Analysis
Rsyslog + ES + Kibana
Monitoring & Alerting
Prometheus + Grafana + Graphite
Secret Management
chef-vault + vault
Infrastructure Automation
Chef server
Kerberos client side
Kerberos server side
Technical Stack
service user physical user
chef server
native or LDAP Kerberos
databases
UPN SPN (kerberized service)
Kerberos servers
Technical Stack around Kerberos @Criteo
consul
chef client
chef client
chef client
chef client
Secret deployment
UPN
9. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
UPN
Discovery
DNS + Consul
Clock synchronisation
NTP
Backup
Storage
Log Analysis
Rsyslog + ES + Kibana
Monitoring & Alerting
Prometheus + Grafana + Graphite
Secret Management
chef-vault + vault
Infrastructure Automation
Chef server
Kerberos client side
Kerberos server side
Technical Stack
service user physical user
chef server
native or LDAP Kerberos
databases
UPN SPN (kerberized service)
Kerberos servers
Technical Stack around Kerberos @Criteo
consul
Clock synchronisation
ntp client
ntp clientntp clientntp client
ntp client
10. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Discovery
DNS + Consul
Clock synchronisation
NTP
Backup
Storage
Log Analysis
Rsyslog + ES + Kibana
Monitoring & Alerting
Prometheus + Grafana + Graphite
Secret Management
chef-vault + vault
Infrastructure Automation
Chef server
Kerberos client side
Kerberos server side
Technical Stack
service user physical user
chef server
native or LDAP Kerberos
databases
UPN SPN (kerberized service)
Kerberos servers
UPN
Technical Stack around Kerberos @Criteo
consul
Domain Name Resolution
TGS_REQUEST
Discovery and DNS
Kerberos
client
Kerberos
client
Kerberos
client
Reverse Resolution with PTR records
TGT
Establish Kerberos communication
Round Robin with SRV records
connection
attempt
SGT
TGS_REPLY
11. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
proxy
proxy
SSO
client
Implemented HTTP SSO with Kerberos
IIS
Windows
controller
filter
controller
filter
human to machine
machine to machine
Linux
12. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Client application Server application
Kerberos
SPNEGO
user.keytab krb5.conf .java.login.config service.keytab krb5.conf .java.login.config
SASL: Simple Authentication and Security Layer
SPNEGO: Simple and Protected GSS-API Negotiation Mechanism
JAAS: Java Authentication and Authorization Service
GSS-API: Generic Security Service Application Program Interface
Kerberos for your application in Java
client side server side
Establish Kerberos
communication
Krb5LoginModule
JAAS
GSS-API/SASL Krb5LoginModule
JAAS
GSS-API/SASL
Kerberos
SPNEGO
13. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Demo Time
wireshark
Kerberos Servers
kerberos-docker
Apache2
http
Mongo
mongodb
keytab
kinit -R
kinit -k keybab
ssh + delegation
OpenSSH
klist
login/password
credentials
cache in file system
Server javaClient Java
socket
credentials
cache in JVM memory
14. Wouff…
It is the end!
Kerberos - Protocol for Authentication & Authorization
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers
MIT Kerberos
15. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Learn Kerberos authentication
● Tutorial Kerberos
○ https://www.kerberos.org/software/tutorial.html
● The MIT Kerberos Administrator’s How-to Guide
○ https://www.kerberos.org/software/adminkerberos.pdf
● Best Practices for Integrating Kerberos into Your Application
○ https://www.kerberos.org/software/appskerberos.pdf
● Why is Kerberos a credible security solution?
○ https://www.kerberos.org/software/whykerberos.pdf
● Kerberos database can be OpenLDAP
○ https://www.openldap.org
● Kerberos: The Definitive Guide O’Reilly
○ http://shop.oreilly.com/product/9780596004033.do
Kerberos for GAFA
● Google
○ Google Search Appliance uses Kerberos
■ https://support.google.com/gsa/answer/6055202?hl=en
● Apple
○ Authentication and Identification In Depth
■ https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Authentica
tion/Authentication.html
● Facebook
○ https://developers.facebook.com/docs/workplace/authentication/sso (No public found references)
● Amazon
○ Use Kerberos Authentication
■ https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-kerberos.html
References
16. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Kerberos implementation
● MIT: MIT Kerberos
○ http://web.mit.edu/kerberos
○ What is Kerberos?
■ http://web.mit.edu/kerberos/www/#what_is
○ MIT Kerberos Consortium
■ http://kerberos.org/software/
○ Source code:
■ GitHub:
● Microsoft: Active Directory
○ https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overvi
ew
○ What is Kerberos Authentication?
■ https://technet.microsoft.com/pt-pt/library/cc780469(v=ws.10).aspx
○ Microsoft Kerberos
■ https://msdn.microsoft.com/en-us/library/windows/desktop/aa378747(v=vs.85).aspx
● Heimdal: Heimdal Kerberos
○ https://www.h5l.org
○ What is Heimdal/Kerberos?
■ https://github.com/heimdal/heimdal/wiki
○ Source code:
■ Github: https://github.com/heimdal/heimdal/releases
There are other KDC client/server implementations as apache kerby to run KDC "in memory" in Java:
● https://github.com/apache/directory-kerby
References
17. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Single Sign On with Kerberos and SPNEGO
● Microsoft: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol
○ https://msdn.microsoft.com/en-us/library/ms995329.aspx
● IBM: Single sign-on for HTTP requests using SPNEGO web authentication in Websphere application
○ https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.wlp.core.doc/ae/cwlp_spnego.html
○ https://www.ibm.com/support/knowledgecenter/SS7JFU_8.5.5/com.ibm.websphere.express.doc/ae/csec_SPNEGO_explain.htm
l#csec_SPNEGO_explain__SPNEGOkerb
● SAP: Single Sign-On: Authenticate with Kerberos/SPNEGO
○ https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/
Operating system Linux and Kerberos
● RedHat (and CentOS): Using Kerberos
○ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/using_kerberos
● Ubuntu: Kerberos
○ https://help.ubuntu.com/lts/serverguide/kerberos.html.en
● Arch Linux: Kerberos
○ https://wiki.archlinux.org/index.php/Kerberos
● Fedora
○ https://fedoraproject.org/wiki/Infrastructure/Kerberos
(Missing for MACOS and Windows, this presentation is only Linux)
References
18. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Kerberos in Java
● Oracle (and Sun): Single Sign-on Using Kerberos in Java
○ https://docs.oracle.com/javase/10/security/single-sign-using-kerberos-java1.htm
● OpenJDK:
○
● Apache:
○ Apache Kerby:
■ http://directory.apache.org/kerby/
■ source code:
● Github: https://github.com/apache/directory-kerby
○ Hadoop:
■ Hadoop in Secure Mode
● https://hadoop.apache.org/docs/r3.0.0/hadoop-project-dist/hadoop-common/SecureMode.html
■ source code:
● GitHub:
https://github.com/apache/hadoop-common/tree/trunk/hadoop-common-project/hadoop-auth/src/main/java/o
rg/apache/hadoop/security
● Java Server
○ Tomcat
■ https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
○ Jetty
■ http://www.eclipse.org/jetty/documentation/current/spnego-support.html
○ Jboss
■ https://developer.jboss.org/wiki/HowToImplementKerberosAuthenticationWithASimpleRESTWebApp
○ Spring
■ https://spring.io/projects/spring-security-kerberos#overview
References
20. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Kerberos and LDAP
● OpenLDAP:
○ https://www.openldap.org
● Microsoft:
○ https://msdn.microsoft.com/en-us/library/aa367008(v=vs.85).aspx
● Ubuntu:
○ https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html.en
○ https://help.ubuntu.com/lts/serverguide/openldap-server.html.en
● MIT:
○ https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
Kerberos with Wireshark and Tshark
● https://wiki.wireshark.org/Kerberos
● https://www.wireshark.org/docs/man-pages/tshark.html
Kerberos is different
● Kerberos vs SSL/TLS
○ https://www.secureblackbox.com/kb/articles/6-Kerberos.rst
● Kerberos vs SPNEGO
○ https://developer.ibm.com/answers/questions/246107/what-is-the-difference-between-kerberos-and-spnego/
Kerberos GSS-API
● GNU Generic Security:
○ https://www.gnu.org/software/gss/manual/gss.html#GSS_002dAPI-Overview
● Oracle:
○ https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/index.html
References
21. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Kerberos and RFCs
● RFC 1510 The Kerberos Network Authentication Service (V5) [Obsolete]
● RFC 1964 The Kerberos Version 5 GSS-API Mechanism
● RFC 3961 Encryption and Checksum Specifications for Kerberos 5
● RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5
● RFC 4120 The Kerberos Network Authentication Service (V5) [Current]
● RFC 4121 The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2
● RFC 4537 Kerberos Cryptosystem Negotiation Extension
● RFC 4556 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
● RFC 4557 Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
● RFC 4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows [Obsolete]
● RFC 5021 Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP
● RFC 5349 Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
● RFC 5868 Problem Statement on the Cross-Realm Operation of Kerberos
● RFC 5896 Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy
● RFC 6111 Additional Kerberos Naming Constraints
● RFC 6112 Anonymity Support for Kerberos
● RFC 6113 A Generalized Framework for Kerberos Pre-Authentication
● RFC 6251 Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol
● RFC 6448 The Unencrypted Form of Kerberos 5 KRB-CRED Message
● RFC 6542 Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Channel Binding Hash Agility
● RFC 6560 One-Time Password (OTP) Pre-Authentication
● RFC 6649 Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos
● RFC 6784 Kerberos Options for DHCPv6
● RFC 6803 Camellia Encryption for Kerberos 5
● RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals
● RFC 6880 An Information Model for Kerberos Version
See https://en.wikipedia.org/wiki/Kerberos_(protocol) and https://datatracker.ietf.org/doc/search/?name=Kerberos&sort=&rfcs=on
References