SlideShare a Scribd company logo

MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo

Gilles Legoux
Gilles Legoux

MIT Kerberos is project written in C since 1980s. Open Source and Free: https://github.com/krb5/krb5 MIT License

1 of 21
Download to read offline
Kerberos - Protocol for Authentication & Authorization Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers MIT Kerberos
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Implementation / OS Linux Windows MacOS MIT Kerberos Active Directory Heimdal MIT Kerberos where MIT MIT Kerberos is project written in C since 1980s. Open Source and Free: https://github.com/krb5/krb5 Last release: 1.16.1 (2018-05-03) MIT License Official Website | Tutorial | Documentation | Guide Distribution | Release Linux | Historic RFC | CVE | FAQ MIT Kerberos Kerberos (V5) is network authentication and authorization protocol with several implementations. "Kerberos allows to secure communications on untrusted networks but where each node is trusted"
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos Features Features ● Kerberos is in place, mature, and stable and performant with symmetrical key ● Mutual authentication, integrity and confidentiality of communication ● Protected against eavesdropping and replay attacks ● No exposed Passwords, it should never be exposed during authentication (no password in code, call network or log ...) ● Not only HTTP but can secure other communication channels (SSH, login, ….) ● Largely implemented in each service (client and kerberized server) and libraries to kerberized services Kerberos secret = Metadata + Kerberos key Metadata = [ kvno, issue time, encryption, principal ] Kerberos key = getKey(password, salt, encryption) Keytabs = container(Kerberos key with Metadata) in binary file with right permission (owner +0400) and not encrypted. Authenticator = { PrincipalClient , Timestamp }KClient Ticket-Granting Ticket (TGT) = authentication credential Service Ticket-Granting (SGT) = authorization credential Principal = Kerberos entity (User or Service Principal Name) "Kerberos is primarily used over internal LANs to authenticate users." SSO client service service service Single Sign-On (SSO) ● One authentication to access to group of services. ● Ticket system where long term secrets generate short term secrets.
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Client (C) Service (S) Authentication Server (AS) Ticket Granting Server (TGS) Key Distribution Center (KDC) database AS AS Install your KDC: ● create master key ● create your kerberos realm ● configuration Install Kerberos clients: ● configuration krb5.conf krb5.conf kdc.conf Kerberos Environment Kerberos authentication Kerberos Server Kerberos client Kerberos client 1 Setup C S Creation principals in Kerberos database 2 Provisioning kerberos configuration kerberos key C S Deployment on each kerberos client: ● keytabs 3 Secret deployment keytab keytab Kerberos secrets
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management keytab Client (C) Service (S) Authentication Server (AS) Ticket Granting Server (TGS) Key Distribution Center (KDC) database C AS S replay cache credentials cache C S replay cache AS Kerberos Workflow for Authentication (3) bis (3)bis Try to connect to the service but it reclaims Kerberos authentication and TGS Ticket. TGS session Client and Authentication Server (1). clear plaintext request for a Ticket Granting Ticket (TGT) with pre-authentication (should be configured) and authenticator request (2). user ID lookup in KDC (3). 2 messages: - A: TGT (encrypted by AS secret key principal krbtgt/*) - B: TGS session key (encrypted by client secret key)(1) (3) (2) TGS session 1 AS_REQUEST, AS_REPLY 1 Service session (6) (5) (4) Client and Ticket Granting Server (4). 3 messages: - C: authenticator request (encrypted by TGS Session Key) - D: clear plaintext request for access Service - E: TGT (5). Service lookup in KDC (6). 2 messages : F: Service Session Key (encrypted by TGS Session Key) G: Ticket for Service (encrypted by Service Secret Key) 2 TGS_REQUEST, TGS_REPLY 2 (9) (8) (7) Service session Client and Service (7). 2 messages: H: authenticator request (encrypted by Service Session Key) I: Ticket for Service (encrypted by Service Secret Key) (8). 1 message: J: Confirmation of Service identity (encrypted by Service Session Key) (9). Exchange messages with Service Ticket 3 AP_REQUEST, AP_REPLY 3 Service session TGT SGT keytab Kerberos secrets
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management REALM A UPN: An entity performing client requests to some service. Human or machine. SPN: An entity processing requests for a specific service (HTTP, LDAP, SSH …). Machine only. Trust unilateral: REALM A → REALM B Trust bilateral: REALM B ← → REALM C User Principal Name (UPN): user@REALM Service Principal Name (SPN): service/fqdn@REALM trust unilateral trust bilateral REALM C REALM B Kerberos Realm and Trust for Authorization
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Blackbox exporter Grafana collectd/kerberos exporter Kerberos Probe Health checks Basis metricsTGT & TGS prometheus consul dashboard for visualisation elastic search Logs Rsyslog kibana wireshark Network Traces Alertmanager email page duty slack Kerberos Monitoring @Criteo kadmind:749 kpasswd:464 kpropd:754 krb5kdc:88
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Discovery DNS + Consul Clock synchronisation NTP Backup Storage Log Analysis Rsyslog + ES + Kibana Monitoring & Alerting Prometheus + Grafana + Graphite Secret Management chef-vault + vault Infrastructure Automation Chef server Kerberos client side Kerberos server side Technical Stack service user physical user chef server native or LDAP Kerberos databases UPN SPN (kerberized service) Kerberos servers Technical Stack around Kerberos @Criteo consul chef client chef client chef client chef client Secret deployment UPN
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management UPN Discovery DNS + Consul Clock synchronisation NTP Backup Storage Log Analysis Rsyslog + ES + Kibana Monitoring & Alerting Prometheus + Grafana + Graphite Secret Management chef-vault + vault Infrastructure Automation Chef server Kerberos client side Kerberos server side Technical Stack service user physical user chef server native or LDAP Kerberos databases UPN SPN (kerberized service) Kerberos servers Technical Stack around Kerberos @Criteo consul Clock synchronisation ntp client ntp clientntp clientntp client ntp client
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Discovery DNS + Consul Clock synchronisation NTP Backup Storage Log Analysis Rsyslog + ES + Kibana Monitoring & Alerting Prometheus + Grafana + Graphite Secret Management chef-vault + vault Infrastructure Automation Chef server Kerberos client side Kerberos server side Technical Stack service user physical user chef server native or LDAP Kerberos databases UPN SPN (kerberized service) Kerberos servers UPN Technical Stack around Kerberos @Criteo consul Domain Name Resolution TGS_REQUEST Discovery and DNS Kerberos client Kerberos client Kerberos client Reverse Resolution with PTR records TGT Establish Kerberos communication Round Robin with SRV records connection attempt SGT TGS_REPLY
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management proxy proxy SSO client Implemented HTTP SSO with Kerberos IIS Windows controller filter controller filter human to machine machine to machine Linux
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Client application Server application Kerberos SPNEGO user.keytab krb5.conf .java.login.config service.keytab krb5.conf .java.login.config SASL: Simple Authentication and Security Layer SPNEGO: Simple and Protected GSS-API Negotiation Mechanism JAAS: Java Authentication and Authorization Service GSS-API: Generic Security Service Application Program Interface Kerberos for your application in Java client side server side Establish Kerberos communication Krb5LoginModule JAAS GSS-API/SASL Krb5LoginModule JAAS GSS-API/SASL Kerberos SPNEGO
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Demo Time wireshark Kerberos Servers kerberos-docker Apache2 http Mongo mongodb keytab kinit -R kinit -k keybab ssh + delegation OpenSSH klist login/password credentials cache in file system Server javaClient Java socket credentials cache in JVM memory
Wouff… It is the end! Kerberos - Protocol for Authentication & Authorization Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers MIT Kerberos
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Learn Kerberos authentication ● Tutorial Kerberos ○ https://www.kerberos.org/software/tutorial.html ● The MIT Kerberos Administrator’s How-to Guide ○ https://www.kerberos.org/software/adminkerberos.pdf ● Best Practices for Integrating Kerberos into Your Application ○ https://www.kerberos.org/software/appskerberos.pdf ● Why is Kerberos a credible security solution? ○ https://www.kerberos.org/software/whykerberos.pdf ● Kerberos database can be OpenLDAP ○ https://www.openldap.org ● Kerberos: The Definitive Guide O’Reilly ○ http://shop.oreilly.com/product/9780596004033.do Kerberos for GAFA ● Google ○ Google Search Appliance uses Kerberos ■ https://support.google.com/gsa/answer/6055202?hl=en ● Apple ○ Authentication and Identification In Depth ■ https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Authentica tion/Authentication.html ● Facebook ○ https://developers.facebook.com/docs/workplace/authentication/sso (No public found references) ● Amazon ○ Use Kerberos Authentication ■ https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-kerberos.html References
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos implementation ● MIT: MIT Kerberos ○ http://web.mit.edu/kerberos ○ What is Kerberos? ■ http://web.mit.edu/kerberos/www/#what_is ○ MIT Kerberos Consortium ■ http://kerberos.org/software/ ○ Source code: ■ GitHub: ● Microsoft: Active Directory ○ https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overvi ew ○ What is Kerberos Authentication? ■ https://technet.microsoft.com/pt-pt/library/cc780469(v=ws.10).aspx ○ Microsoft Kerberos ■ https://msdn.microsoft.com/en-us/library/windows/desktop/aa378747(v=vs.85).aspx ● Heimdal: Heimdal Kerberos ○ https://www.h5l.org ○ What is Heimdal/Kerberos? ■ https://github.com/heimdal/heimdal/wiki ○ Source code: ■ Github: https://github.com/heimdal/heimdal/releases There are other KDC client/server implementations as apache kerby to run KDC "in memory" in Java: ● https://github.com/apache/directory-kerby References
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Single Sign On with Kerberos and SPNEGO ● Microsoft: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol ○ https://msdn.microsoft.com/en-us/library/ms995329.aspx ● IBM: Single sign-on for HTTP requests using SPNEGO web authentication in Websphere application ○ https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.wlp.core.doc/ae/cwlp_spnego.html ○ https://www.ibm.com/support/knowledgecenter/SS7JFU_8.5.5/com.ibm.websphere.express.doc/ae/csec_SPNEGO_explain.htm l#csec_SPNEGO_explain__SPNEGOkerb ● SAP: Single Sign-On: Authenticate with Kerberos/SPNEGO ○ https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/ Operating system Linux and Kerberos ● RedHat (and CentOS): Using Kerberos ○ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/using_kerberos ● Ubuntu: Kerberos ○ https://help.ubuntu.com/lts/serverguide/kerberos.html.en ● Arch Linux: Kerberos ○ https://wiki.archlinux.org/index.php/Kerberos ● Fedora ○ https://fedoraproject.org/wiki/Infrastructure/Kerberos (Missing for MACOS and Windows, this presentation is only Linux) References
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos in Java ● Oracle (and Sun): Single Sign-on Using Kerberos in Java ○ https://docs.oracle.com/javase/10/security/single-sign-using-kerberos-java1.htm ● OpenJDK: ○ ● Apache: ○ Apache Kerby: ■ http://directory.apache.org/kerby/ ■ source code: ● Github: https://github.com/apache/directory-kerby ○ Hadoop: ■ Hadoop in Secure Mode ● https://hadoop.apache.org/docs/r3.0.0/hadoop-project-dist/hadoop-common/SecureMode.html ■ source code: ● GitHub: https://github.com/apache/hadoop-common/tree/trunk/hadoop-common-project/hadoop-auth/src/main/java/o rg/apache/hadoop/security ● Java Server ○ Tomcat ■ https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html ○ Jetty ■ http://www.eclipse.org/jetty/documentation/current/spnego-support.html ○ Jboss ■ https://developer.jboss.org/wiki/HowToImplementKerberosAuthenticationWithASimpleRESTWebApp ○ Spring ■ https://spring.io/projects/spring-security-kerberos#overview References
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos in Python ● Apple: ○ https://github.com/apple/ccs-pykerberos ● Requests: ○ https://github.com/requests/requests-kerberos ● Python GSSAPI ○ https://github.com/pythongssapi Kerberos with Proxy/Reverse Proxy ● Apache2 ○ mod_auth_gssapi ■ https://github.com/modauthgssapi/mod_auth_gssapi ○ mod_auth_kerb ■ http://modauthkerb.sourceforge.net ○ mod_authnz_ldap ■ http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html ● NGINX ○ https://www.nginx.com/blog/nginx-plus-authenticate-users/ ● HaProxy ○ https://www.haproxy.com/documentation/aloha/9-5/packetshield/sso/ References
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos and LDAP ● OpenLDAP: ○ https://www.openldap.org ● Microsoft: ○ https://msdn.microsoft.com/en-us/library/aa367008(v=vs.85).aspx ● Ubuntu: ○ https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html.en ○ https://help.ubuntu.com/lts/serverguide/openldap-server.html.en ● MIT: ○ https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html Kerberos with Wireshark and Tshark ● https://wiki.wireshark.org/Kerberos ● https://www.wireshark.org/docs/man-pages/tshark.html Kerberos is different ● Kerberos vs SSL/TLS ○ https://www.secureblackbox.com/kb/articles/6-Kerberos.rst ● Kerberos vs SPNEGO ○ https://developer.ibm.com/answers/questions/246107/what-is-the-difference-between-kerberos-and-spnego/ Kerberos GSS-API ● GNU Generic Security: ○ https://www.gnu.org/software/gss/manual/gss.html#GSS_002dAPI-Overview ● Oracle: ○ https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/index.html References
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos and RFCs ● RFC 1510 The Kerberos Network Authentication Service (V5) [Obsolete] ● RFC 1964 The Kerberos Version 5 GSS-API Mechanism ● RFC 3961 Encryption and Checksum Specifications for Kerberos 5 ● RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5 ● RFC 4120 The Kerberos Network Authentication Service (V5) [Current] ● RFC 4121 The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 ● RFC 4537 Kerberos Cryptosystem Negotiation Extension ● RFC 4556 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) ● RFC 4557 Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) ● RFC 4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows [Obsolete] ● RFC 5021 Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP ● RFC 5349 Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) ● RFC 5868 Problem Statement on the Cross-Realm Operation of Kerberos ● RFC 5896 Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy ● RFC 6111 Additional Kerberos Naming Constraints ● RFC 6112 Anonymity Support for Kerberos ● RFC 6113 A Generalized Framework for Kerberos Pre-Authentication ● RFC 6251 Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol ● RFC 6448 The Unencrypted Form of Kerberos 5 KRB-CRED Message ● RFC 6542 Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Channel Binding Hash Agility ● RFC 6560 One-Time Password (OTP) Pre-Authentication ● RFC 6649 Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos ● RFC 6784 Kerberos Options for DHCPv6 ● RFC 6803 Camellia Encryption for Kerberos 5 ● RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals ● RFC 6880 An Information Model for Kerberos Version See https://en.wikipedia.org/wiki/Kerberos_(protocol) and https://datatracker.ietf.org/doc/search/?name=Kerberos&sort=&rfcs=on References

Recommended

Kerberos
KerberosKerberos
Kerberos
Sutanu Paul
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocol
Ajit Dadresa
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
Sam Bowne
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
Sam Bowne
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
SPF, DKIM en DMARC
SPF, DKIM en DMARCSPF, DKIM en DMARC
SPF, DKIM en DMARC
Jeffrey Cafferata
 

Recommended

Kerberos
KerberosKerberos
Kerberos
Sutanu Paul
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocol
Ajit Dadresa
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
Sam Bowne
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
Sam Bowne
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
SPF, DKIM en DMARC
SPF, DKIM en DMARCSPF, DKIM en DMARC
SPF, DKIM en DMARC
Jeffrey Cafferata
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
Jyothishmathi Institute of Technology and Science Karimnagar
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5
koolkampus
 
Real Attacks on Blockchain Systems & Countermeasures
Real Attacks on Blockchain Systems & CountermeasuresReal Attacks on Blockchain Systems & Countermeasures
Real Attacks on Blockchain Systems & Countermeasures
NUS-ISS
 
Exhibitor session: Efficient IP
Exhibitor session: Efficient IPExhibitor session: Efficient IP
Exhibitor session: Efficient IP
Jisc
 
Information and data security advanced encryption standard (aes)
Information and data security advanced encryption standard (aes)Information and data security advanced encryption standard (aes)
Information and data security advanced encryption standard (aes)
Mazin Alwaaly
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
Pradeep Kapkoti
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar
Yoram Orzach
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
Bibek Subedi
 
Kerberos
KerberosKerberos
Kerberos
RafatSamreen
 
Lightweight cryptography
Lightweight cryptographyLightweight cryptography
Lightweight cryptography
Shivam Singh
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
Ali Raw
 
Kerberos
KerberosKerberos
Kerberos
Rahul Pundir
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
Roman Oliynykov
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
Sam Bowne
 
Password strength svm
Password strength svmPassword strength svm
Password strength svm
Sunil Rm
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
GuidePoint Security, LLC
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
Kasper Nissen
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 

More Related Content

What's hot

Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
Jyothishmathi Institute of Technology and Science Karimnagar
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5
koolkampus
 
Real Attacks on Blockchain Systems & Countermeasures
Real Attacks on Blockchain Systems & CountermeasuresReal Attacks on Blockchain Systems & Countermeasures
Real Attacks on Blockchain Systems & Countermeasures
NUS-ISS
 
Exhibitor session: Efficient IP
Exhibitor session: Efficient IPExhibitor session: Efficient IP
Exhibitor session: Efficient IP
Jisc
 
Information and data security advanced encryption standard (aes)
Information and data security advanced encryption standard (aes)Information and data security advanced encryption standard (aes)
Information and data security advanced encryption standard (aes)
Mazin Alwaaly
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
Pradeep Kapkoti
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar
Yoram Orzach
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
Bibek Subedi
 
Kerberos
KerberosKerberos
Kerberos
RafatSamreen
 
Lightweight cryptography
Lightweight cryptographyLightweight cryptography
Lightweight cryptography
Shivam Singh
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
Ali Raw
 
Kerberos
KerberosKerberos
Kerberos
Rahul Pundir
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
Roman Oliynykov
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
Sam Bowne
 
Password strength svm
Password strength svmPassword strength svm
Password strength svm
Sunil Rm
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
GuidePoint Security, LLC
 

What's hot (20)

Port Scanning
Port ScanningPort Scanning
Port Scanning
 
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail SecurityCRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
CRYPTOGRAPHY AND NETWORK SECURITY- E-Mail Security
 
Web security
Web securityWeb security
Web security
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5
 
Real Attacks on Blockchain Systems & Countermeasures
Real Attacks on Blockchain Systems & CountermeasuresReal Attacks on Blockchain Systems & Countermeasures
Real Attacks on Blockchain Systems & Countermeasures
 
Exhibitor session: Efficient IP
Exhibitor session: Efficient IPExhibitor session: Efficient IP
Exhibitor session: Efficient IP
 
Information and data security advanced encryption standard (aes)
Information and data security advanced encryption standard (aes)Information and data security advanced encryption standard (aes)
Information and data security advanced encryption standard (aes)
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication Protocol
 
Kerberos
KerberosKerberos
Kerberos
 
Lightweight cryptography
Lightweight cryptographyLightweight cryptography
Lightweight cryptography
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
 
Kerberos
KerberosKerberos
Kerberos
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 
Password strength svm
Password strength svmPassword strength svm
Password strength svm
 
Secure Session Management
Secure Session ManagementSecure Session Management
Secure Session Management
 

Similar to MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo

GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
Kasper Nissen
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
guest2a5a03
 
Is It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes OperatorsIs It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes Operators
DoKC
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
Cloud Native 下的應用網路設計
Cloud Native 下的應用網路設計Cloud Native 下的應用網路設計
Cloud Native 下的應用網路設計
inwin stack
 
Active Directory Recon 101
Active Directory Recon 101Active Directory Recon 101
Active Directory Recon 101
prashant3535
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Arnaud Le Hors
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
Cynthia Thomas
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
Secview
 
Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linux
macchiang
 
使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster 使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster
inwin stack
 
chaitraresume
chaitraresumechaitraresume
chaitraresume
Chaitra Shankar
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best Practices
Ajeet Singh Raina
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
 
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQueryCodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
Márton Kodok
 
Road to Cloud Native Orchestration
Road to Cloud Native Orchestration Road to Cloud Native Orchestration
Road to Cloud Native Orchestration
Open Source Technology Center MeetUps
 
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech TalksRunning Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
Amazon Web Services
 
Securing Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfSecuring Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdf
Jesús Ángel Samitier
 

Similar to MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo (20)

GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 
Is It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes OperatorsIs It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes Operators
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
Cloud Native 下的應用網路設計
Cloud Native 下的應用網路設計Cloud Native 下的應用網路設計
Cloud Native 下的應用網路設計
 
Active Directory Recon 101
Active Directory Recon 101Active Directory Recon 101
Active Directory Recon 101
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Cilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPFCilium:: Application-Aware Microservices via BPF
Cilium:: Application-Aware Microservices via BPF
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
 
Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linux
 
使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster 使用 Prometheus 監控 Kubernetes Cluster
使用 Prometheus 監控 Kubernetes Cluster
 
chaitraresume
chaitraresumechaitraresume
chaitraresume
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best Practices
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQueryCodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
CodeCamp Iasi - Creating serverless data analytics system on GCP using BigQuery
 
Road to Cloud Native Orchestration
Road to Cloud Native Orchestration Road to Cloud Native Orchestration
Road to Cloud Native Orchestration
 
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech TalksRunning Kubernetes with Amazon EKS - AWS Online Tech Talks
Running Kubernetes with Amazon EKS - AWS Online Tech Talks
 
Securing Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdfSecuring Prometheus. Lessons Learned from OpenShift.pdf
Securing Prometheus. Lessons Learned from OpenShift.pdf
 

Recently uploaded

Question paper of renewable energy sources
Question paper of renewable energy sourcesQuestion paper of renewable energy sources
Question paper of renewable energy sources
mahammadsalmanmech
 
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdfIron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
RadiNasr
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
Hitesh Mohapatra
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
kandramariana6
 
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
Victor Morales
 
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball playEric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
enizeyimana36
 
ML Based Model for NIDS MSc Updated Presentation.v2.pptx
ML Based Model for NIDS MSc Updated Presentation.v2.pptxML Based Model for NIDS MSc Updated Presentation.v2.pptx
ML Based Model for NIDS MSc Updated Presentation.v2.pptx
JamalHussainArman
 
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
ihlasbinance2003
 
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.pptUnit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
KrishnaveniKrishnara1
 
Heat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation pptHeat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation ppt
mamunhossenbd75
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
abbyasa1014
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
KrishnaveniKrishnara1
 
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student MemberIEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
VICTOR MAESTRE RAMIREZ
 
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEMTIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
HODECEDSIET
 
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Sinan KOZAK
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
Madan Karki
 
Properties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptxProperties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptx
MDSABBIROJJAMANPAYEL
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
Aditya Rajan Patra
 
Recycled Concrete Aggregate in Construction Part II
Recycled Concrete Aggregate in Construction Part IIRecycled Concrete Aggregate in Construction Part II
Recycled Concrete Aggregate in Construction Part II
Aditya Rajan Patra
 
Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
Dr Ramhari Poudyal
 

Recently uploaded (20)

Question paper of renewable energy sources
Question paper of renewable energy sourcesQuestion paper of renewable energy sources
Question paper of renewable energy sources
 
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdfIron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
Iron and Steel Technology Roadmap - Towards more sustainable steelmaking.pdf
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
 
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsKuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressions
 
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball playEric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
Eric Nizeyimana's document 2006 from gicumbi to ttc nyamata handball play
 
ML Based Model for NIDS MSc Updated Presentation.v2.pptx
ML Based Model for NIDS MSc Updated Presentation.v2.pptxML Based Model for NIDS MSc Updated Presentation.v2.pptx
ML Based Model for NIDS MSc Updated Presentation.v2.pptx
 
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
5214-1693458878915-Unit 6 2023 to 2024 academic year assignment (AutoRecovere...
 
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.pptUnit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
Unit-III-ELECTROCHEMICAL STORAGE DEVICES.ppt
 
Heat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation pptHeat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation ppt
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
 
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student MemberIEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
 
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEMTIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEM
 
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
 
Properties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptxProperties Railway Sleepers and Test.pptx
Properties Railway Sleepers and Test.pptx
 
Recycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part IIIRecycled Concrete Aggregate in Construction Part III
Recycled Concrete Aggregate in Construction Part III
 
Recycled Concrete Aggregate in Construction Part II
Recycled Concrete Aggregate in Construction Part IIRecycled Concrete Aggregate in Construction Part II
Recycled Concrete Aggregate in Construction Part II
 
Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
 

MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo

  • 1. Kerberos - Protocol for Authentication & Authorization Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers MIT Kerberos
  • 2. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Implementation / OS Linux Windows MacOS MIT Kerberos Active Directory Heimdal MIT Kerberos where MIT MIT Kerberos is project written in C since 1980s. Open Source and Free: https://github.com/krb5/krb5 Last release: 1.16.1 (2018-05-03) MIT License Official Website | Tutorial | Documentation | Guide Distribution | Release Linux | Historic RFC | CVE | FAQ MIT Kerberos Kerberos (V5) is network authentication and authorization protocol with several implementations. "Kerberos allows to secure communications on untrusted networks but where each node is trusted"
  • 3. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos Features Features ● Kerberos is in place, mature, and stable and performant with symmetrical key ● Mutual authentication, integrity and confidentiality of communication ● Protected against eavesdropping and replay attacks ● No exposed Passwords, it should never be exposed during authentication (no password in code, call network or log ...) ● Not only HTTP but can secure other communication channels (SSH, login, ….) ● Largely implemented in each service (client and kerberized server) and libraries to kerberized services Kerberos secret = Metadata + Kerberos key Metadata = [ kvno, issue time, encryption, principal ] Kerberos key = getKey(password, salt, encryption) Keytabs = container(Kerberos key with Metadata) in binary file with right permission (owner +0400) and not encrypted. Authenticator = { PrincipalClient , Timestamp }KClient Ticket-Granting Ticket (TGT) = authentication credential Service Ticket-Granting (SGT) = authorization credential Principal = Kerberos entity (User or Service Principal Name) "Kerberos is primarily used over internal LANs to authenticate users." SSO client service service service Single Sign-On (SSO) ● One authentication to access to group of services. ● Ticket system where long term secrets generate short term secrets.
  • 4. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Client (C) Service (S) Authentication Server (AS) Ticket Granting Server (TGS) Key Distribution Center (KDC) database AS AS Install your KDC: ● create master key ● create your kerberos realm ● configuration Install Kerberos clients: ● configuration krb5.conf krb5.conf kdc.conf Kerberos Environment Kerberos authentication Kerberos Server Kerberos client Kerberos client 1 Setup C S Creation principals in Kerberos database 2 Provisioning kerberos configuration kerberos key C S Deployment on each kerberos client: ● keytabs 3 Secret deployment keytab keytab Kerberos secrets
  • 5. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management keytab Client (C) Service (S) Authentication Server (AS) Ticket Granting Server (TGS) Key Distribution Center (KDC) database C AS S replay cache credentials cache C S replay cache AS Kerberos Workflow for Authentication (3) bis (3)bis Try to connect to the service but it reclaims Kerberos authentication and TGS Ticket. TGS session Client and Authentication Server (1). clear plaintext request for a Ticket Granting Ticket (TGT) with pre-authentication (should be configured) and authenticator request (2). user ID lookup in KDC (3). 2 messages: - A: TGT (encrypted by AS secret key principal krbtgt/*) - B: TGS session key (encrypted by client secret key)(1) (3) (2) TGS session 1 AS_REQUEST, AS_REPLY 1 Service session (6) (5) (4) Client and Ticket Granting Server (4). 3 messages: - C: authenticator request (encrypted by TGS Session Key) - D: clear plaintext request for access Service - E: TGT (5). Service lookup in KDC (6). 2 messages : F: Service Session Key (encrypted by TGS Session Key) G: Ticket for Service (encrypted by Service Secret Key) 2 TGS_REQUEST, TGS_REPLY 2 (9) (8) (7) Service session Client and Service (7). 2 messages: H: authenticator request (encrypted by Service Session Key) I: Ticket for Service (encrypted by Service Secret Key) (8). 1 message: J: Confirmation of Service identity (encrypted by Service Session Key) (9). Exchange messages with Service Ticket 3 AP_REQUEST, AP_REPLY 3 Service session TGT SGT keytab Kerberos secrets
  • 6. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management REALM A UPN: An entity performing client requests to some service. Human or machine. SPN: An entity processing requests for a specific service (HTTP, LDAP, SSH …). Machine only. Trust unilateral: REALM A → REALM B Trust bilateral: REALM B ← → REALM C User Principal Name (UPN): user@REALM Service Principal Name (SPN): service/fqdn@REALM trust unilateral trust bilateral REALM C REALM B Kerberos Realm and Trust for Authorization
  • 7. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Blackbox exporter Grafana collectd/kerberos exporter Kerberos Probe Health checks Basis metricsTGT & TGS prometheus consul dashboard for visualisation elastic search Logs Rsyslog kibana wireshark Network Traces Alertmanager email page duty slack Kerberos Monitoring @Criteo kadmind:749 kpasswd:464 kpropd:754 krb5kdc:88
  • 8. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Discovery DNS + Consul Clock synchronisation NTP Backup Storage Log Analysis Rsyslog + ES + Kibana Monitoring & Alerting Prometheus + Grafana + Graphite Secret Management chef-vault + vault Infrastructure Automation Chef server Kerberos client side Kerberos server side Technical Stack service user physical user chef server native or LDAP Kerberos databases UPN SPN (kerberized service) Kerberos servers Technical Stack around Kerberos @Criteo consul chef client chef client chef client chef client Secret deployment UPN
  • 9. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management UPN Discovery DNS + Consul Clock synchronisation NTP Backup Storage Log Analysis Rsyslog + ES + Kibana Monitoring & Alerting Prometheus + Grafana + Graphite Secret Management chef-vault + vault Infrastructure Automation Chef server Kerberos client side Kerberos server side Technical Stack service user physical user chef server native or LDAP Kerberos databases UPN SPN (kerberized service) Kerberos servers Technical Stack around Kerberos @Criteo consul Clock synchronisation ntp client ntp clientntp clientntp client ntp client
  • 10. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Discovery DNS + Consul Clock synchronisation NTP Backup Storage Log Analysis Rsyslog + ES + Kibana Monitoring & Alerting Prometheus + Grafana + Graphite Secret Management chef-vault + vault Infrastructure Automation Chef server Kerberos client side Kerberos server side Technical Stack service user physical user chef server native or LDAP Kerberos databases UPN SPN (kerberized service) Kerberos servers UPN Technical Stack around Kerberos @Criteo consul Domain Name Resolution TGS_REQUEST Discovery and DNS Kerberos client Kerberos client Kerberos client Reverse Resolution with PTR records TGT Establish Kerberos communication Round Robin with SRV records connection attempt SGT TGS_REPLY
  • 11. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management proxy proxy SSO client Implemented HTTP SSO with Kerberos IIS Windows controller filter controller filter human to machine machine to machine Linux
  • 12. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Client application Server application Kerberos SPNEGO user.keytab krb5.conf .java.login.config service.keytab krb5.conf .java.login.config SASL: Simple Authentication and Security Layer SPNEGO: Simple and Protected GSS-API Negotiation Mechanism JAAS: Java Authentication and Authorization Service GSS-API: Generic Security Service Application Program Interface Kerberos for your application in Java client side server side Establish Kerberos communication Krb5LoginModule JAAS GSS-API/SASL Krb5LoginModule JAAS GSS-API/SASL Kerberos SPNEGO
  • 13. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Demo Time wireshark Kerberos Servers kerberos-docker Apache2 http Mongo mongodb keytab kinit -R kinit -k keybab ssh + delegation OpenSSH klist login/password credentials cache in file system Server javaClient Java socket credentials cache in JVM memory
  • 14. Wouff… It is the end! Kerberos - Protocol for Authentication & Authorization Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers MIT Kerberos
  • 15. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Learn Kerberos authentication ● Tutorial Kerberos ○ https://www.kerberos.org/software/tutorial.html ● The MIT Kerberos Administrator’s How-to Guide ○ https://www.kerberos.org/software/adminkerberos.pdf ● Best Practices for Integrating Kerberos into Your Application ○ https://www.kerberos.org/software/appskerberos.pdf ● Why is Kerberos a credible security solution? ○ https://www.kerberos.org/software/whykerberos.pdf ● Kerberos database can be OpenLDAP ○ https://www.openldap.org ● Kerberos: The Definitive Guide O’Reilly ○ http://shop.oreilly.com/product/9780596004033.do Kerberos for GAFA ● Google ○ Google Search Appliance uses Kerberos ■ https://support.google.com/gsa/answer/6055202?hl=en ● Apple ○ Authentication and Identification In Depth ■ https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Authentica tion/Authentication.html ● Facebook ○ https://developers.facebook.com/docs/workplace/authentication/sso (No public found references) ● Amazon ○ Use Kerberos Authentication ■ https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-kerberos.html References
  • 16. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos implementation ● MIT: MIT Kerberos ○ http://web.mit.edu/kerberos ○ What is Kerberos? ■ http://web.mit.edu/kerberos/www/#what_is ○ MIT Kerberos Consortium ■ http://kerberos.org/software/ ○ Source code: ■ GitHub: ● Microsoft: Active Directory ○ https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overvi ew ○ What is Kerberos Authentication? ■ https://technet.microsoft.com/pt-pt/library/cc780469(v=ws.10).aspx ○ Microsoft Kerberos ■ https://msdn.microsoft.com/en-us/library/windows/desktop/aa378747(v=vs.85).aspx ● Heimdal: Heimdal Kerberos ○ https://www.h5l.org ○ What is Heimdal/Kerberos? ■ https://github.com/heimdal/heimdal/wiki ○ Source code: ■ Github: https://github.com/heimdal/heimdal/releases There are other KDC client/server implementations as apache kerby to run KDC "in memory" in Java: ● https://github.com/apache/directory-kerby References
  • 17. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Single Sign On with Kerberos and SPNEGO ● Microsoft: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol ○ https://msdn.microsoft.com/en-us/library/ms995329.aspx ● IBM: Single sign-on for HTTP requests using SPNEGO web authentication in Websphere application ○ https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.wlp.core.doc/ae/cwlp_spnego.html ○ https://www.ibm.com/support/knowledgecenter/SS7JFU_8.5.5/com.ibm.websphere.express.doc/ae/csec_SPNEGO_explain.htm l#csec_SPNEGO_explain__SPNEGOkerb ● SAP: Single Sign-On: Authenticate with Kerberos/SPNEGO ○ https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/ Operating system Linux and Kerberos ● RedHat (and CentOS): Using Kerberos ○ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/using_kerberos ● Ubuntu: Kerberos ○ https://help.ubuntu.com/lts/serverguide/kerberos.html.en ● Arch Linux: Kerberos ○ https://wiki.archlinux.org/index.php/Kerberos ● Fedora ○ https://fedoraproject.org/wiki/Infrastructure/Kerberos (Missing for MACOS and Windows, this presentation is only Linux) References
  • 18. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos in Java ● Oracle (and Sun): Single Sign-on Using Kerberos in Java ○ https://docs.oracle.com/javase/10/security/single-sign-using-kerberos-java1.htm ● OpenJDK: ○ ● Apache: ○ Apache Kerby: ■ http://directory.apache.org/kerby/ ■ source code: ● Github: https://github.com/apache/directory-kerby ○ Hadoop: ■ Hadoop in Secure Mode ● https://hadoop.apache.org/docs/r3.0.0/hadoop-project-dist/hadoop-common/SecureMode.html ■ source code: ● GitHub: https://github.com/apache/hadoop-common/tree/trunk/hadoop-common-project/hadoop-auth/src/main/java/o rg/apache/hadoop/security ● Java Server ○ Tomcat ■ https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html ○ Jetty ■ http://www.eclipse.org/jetty/documentation/current/spnego-support.html ○ Jboss ■ https://developer.jboss.org/wiki/HowToImplementKerberosAuthenticationWithASimpleRESTWebApp ○ Spring ■ https://spring.io/projects/spring-security-kerberos#overview References
  • 19. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos in Python ● Apple: ○ https://github.com/apple/ccs-pykerberos ● Requests: ○ https://github.com/requests/requests-kerberos ● Python GSSAPI ○ https://github.com/pythongssapi Kerberos with Proxy/Reverse Proxy ● Apache2 ○ mod_auth_gssapi ■ https://github.com/modauthgssapi/mod_auth_gssapi ○ mod_auth_kerb ■ http://modauthkerb.sourceforge.net ○ mod_authnz_ldap ■ http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html ● NGINX ○ https://www.nginx.com/blog/nginx-plus-authenticate-users/ ● HaProxy ○ https://www.haproxy.com/documentation/aloha/9-5/packetshield/sso/ References
  • 20. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos and LDAP ● OpenLDAP: ○ https://www.openldap.org ● Microsoft: ○ https://msdn.microsoft.com/en-us/library/aa367008(v=vs.85).aspx ● Ubuntu: ○ https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html.en ○ https://help.ubuntu.com/lts/serverguide/openldap-server.html.en ● MIT: ○ https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html Kerberos with Wireshark and Tshark ● https://wiki.wireshark.org/Kerberos ● https://www.wireshark.org/docs/man-pages/tshark.html Kerberos is different ● Kerberos vs SSL/TLS ○ https://www.secureblackbox.com/kb/articles/6-Kerberos.rst ● Kerberos vs SPNEGO ○ https://developer.ibm.com/answers/questions/246107/what-is-the-difference-between-kerberos-and-spnego/ Kerberos GSS-API ● GNU Generic Security: ○ https://www.gnu.org/software/gss/manual/gss.html#GSS_002dAPI-Overview ● Oracle: ○ https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/index.html References
  • 21. Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management Kerberos and RFCs ● RFC 1510 The Kerberos Network Authentication Service (V5) [Obsolete] ● RFC 1964 The Kerberos Version 5 GSS-API Mechanism ● RFC 3961 Encryption and Checksum Specifications for Kerberos 5 ● RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5 ● RFC 4120 The Kerberos Network Authentication Service (V5) [Current] ● RFC 4121 The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 ● RFC 4537 Kerberos Cryptosystem Negotiation Extension ● RFC 4556 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) ● RFC 4557 Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) ● RFC 4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows [Obsolete] ● RFC 5021 Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP ● RFC 5349 Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) ● RFC 5868 Problem Statement on the Cross-Realm Operation of Kerberos ● RFC 5896 Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy ● RFC 6111 Additional Kerberos Naming Constraints ● RFC 6112 Anonymity Support for Kerberos ● RFC 6113 A Generalized Framework for Kerberos Pre-Authentication ● RFC 6251 Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol ● RFC 6448 The Unencrypted Form of Kerberos 5 KRB-CRED Message ● RFC 6542 Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Channel Binding Hash Agility ● RFC 6560 One-Time Password (OTP) Pre-Authentication ● RFC 6649 Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos ● RFC 6784 Kerberos Options for DHCPv6 ● RFC 6803 Camellia Encryption for Kerberos 5 ● RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals ● RFC 6880 An Information Model for Kerberos Version See https://en.wikipedia.org/wiki/Kerberos_(protocol) and https://datatracker.ietf.org/doc/search/?name=Kerberos&sort=&rfcs=on References