cisspills #1.02
TRANSCRIPT
CISSPills
Table of Contents Identity Management Centralised vs Decentralised Access Control Directories Single Sign-On Kerberos Kerberos Process Kerberos Weaknesses SESAME
CISSPills
Identity Management
Identity Management (IdM) refers to the adoption of different technologies to identify, authenticate, authorise users using automated mechanisms. The term also encompasses user account management, access control, password management, single sign-on functionality, managing rights and permissions for user account and auditing and monitoring all of these elements related to these mechanisms.IdM requires management of uniquely identified entities, their attributes, credentials and entitlements. IdM allows to manage digital identities throughout their lifecycle.The main aims of IdM technologies are streamlining the management of identities, as well, as the authentication, authorisation and auditing of subjects on multiple systems throughout the enterprise.
CISSPills
Centralised vs Decentralised Access Control
Access control techniques generally fall into one of the two following categories:
Centralised: where all the authorisation verification is performed by a single entity;
Decentralised: where multiple entities perform authorisation verification.
The former requires less overhead, as all the changes are made in a single location and applied consistently across the different systems.
A directory service (see next slide) is an example of centralised access control mechanism.
CISSPills
DirectoriesA directory service is a centralised access control system, which consists in a centralised database containing information about users and resources available to a network.
This information is managed by the directory service, that allows to configure and manage how identification, authentication, authorisation and access control take place within the network.
Users, clients and processes consult the directory service to learn where resources reside. Subjects must authenticate to the directory service before performing queries and lookup activities. Even after authentication, the directory service will reveal only certain information to a subject, based on that subject’s assigned privileges.
CISSPills
Directories (cont’d)
Most directories follow the X.500 standard, which is based on a hierarchical database of entries. An entries consists of a set of attributes and each attribute contains one or more values.
Each entry (e.g. a printer or a user) is identified with a namespace and is assigned a unique Distinguished Name (DN), which if formed by the Relative Distinguished Name, constructed from some attributes, followed by the parent entry DN up to the root.
e.g. given an RDN based on the common name (cn) attribute “pierluigi.falcone” of a user object within the directory, a DN could be:
cn=pierluigi.facone, dc=cisspills, dc.com
CISSPills
Directories (cont’d)
Sometimes identity information is scattered around and is stored in different network locations. In this scenario, technologies that consolidate this dispersed information in a single location can come in handy.
Meta directory: collates the identity information from different sources and stores it in a single location;
Virtual directory: has the same aim of a meta directory: merging multiple sources into a single location; however, virtual directories don’t physically store the identity information in a central location, but rather they point to where it is actually stored. When the virtual directory is queried, it will point to the source that actually stores the information.
CISSPills
Single Sign-On
Single Sign-On (SSO) is a centralised access control mechanism that allows a subject to authenticate once and access multiple systems using a single set of credentials, as opposed to enter one set of credentials for each system.
The benefit of using SSO is that users have to recall only one password that, for this reason, can be subject to more stringent complexity requirements. Furthermore, by reducing the number of passwords to remember, users are less likely to write them down.
The disadvantage is that if a password gets compromised, then the attacker can access all the systems protected by that credential.
CISSPills
KerberosKerberos is a client-server single sign-on authentication mechanism based on symmetric encryption (AES); it provides confidentiality and integrity for authentication using end-to-end security and helps preventing eavesdropping and replay attacks. The main components of Kerberos are: Key Distribution Center (KDC): this is the trusted third party that
provides authentication services. Kerberos uses symmetric encryption to authenticate clients to servers. All clients and servers are registered with the KDC , which maintains the secret keys for all the registered entities.The KDC provides security services to principals, which canbe users, applications or network services. The KDC must have an account for, and share a secret key with, each principal.For users, a password is transformed into a secret key value; the secret can be then used to send sensitive information between the principal and the KDC, and is used for authentication purposes;
Kerberos Authentication Service: the authentication server hosts the functions of the KDC: a ticket-granting service (TGS) and an Authentication Server (AS). The authentication service verifies or rejects the authenticity and timeliness of tickets. This server is often embedded into the KDC;
CISSPills
Kerberos (cont’d)
Ticket-granting ticket (TGT): a TGT provides proof that a subject has authenticated through a KDC and is authorised to request tickets to access other resources. A TGT is encrypted and includes a symmetric key, an expiration time
and the user’s IP address. Subjects present the TGT when requesting tickets to access objects;
Tickets: is an encrypted message that provides proof that a subject is authorised to access an object. It is also referred as service ticket (ST). Subjects request tickets to access objects and if they are authenticated and authorised (based on the TGT), they are given a ticket.Tickets have specific lifetimes and usage parameters. Once a ticket expires, a client must request a renewal or a new ticket to continue the communications.
The KDC provides services for a set of principals called realm. A realm is a logical group of resources and users. The KDC is the trusted authentication server for all the principals within the realm. One KDC can be responsible for one or more realms.
CISSPills
Kerberos ProcessThe client authenticates itself to the Authentication Server (AS), which forwards the username to a key distribution center (KDC). The KDC issues a ticket-granting ticket (TGT), which is time stamped, encrypts it using the user's password and returns the encrypted result to the user's workstation. This is done infrequently, typically at user logon; the TGT expires at some point, though may be transparently renewed by the user's session manager while they are logged in.When the client needs to communicate with another principal, the client sends the TGT to the ticket-granting service (TGS), which usually shares the same host as the KDC. After verifying the TGT is valid and the user is permitted to access the requested service, the TGS issues a ticket and session keys, which are returned to the client. The client then sends the ticket to the service server (SS) along with its service request.
Source: Wikipedia, consulted on 29/01/2017.
CISSPills
Kerberos WeaknessesAlthough Kerberos is a versatile authentication mechanism, it presents few weaknesses: The KDC can be a single point of failure: if it goes offline, no authentication can
occur. Furthermore, if the KDC gets compromised, the secret key for every system is also compromised;
Kerberos has strict time requirements. By default, all systems must be time-synchronised within five minutes of each other;
Secret keys are temporarily stored on the users’ workstations, which means it is possible for an intruder to obtain the cryptographic keys;
Session keys are decrypted and reside on the users’ workstations, which means they might be obtained by an intruder;
Kerberos is vulnerable to password guessing; If they keys are too short, they can be vulnerable to brute force attacks.
CISSPills
SESAMEThe Secure European System for Applications in a Multivendor Environment (SESAME) is a single sign-on protocol designed to extend Kerberos functionalities, as well as overcome Kerberos weaknesses. While Kerberos only uses symmetric cryptography, SESAME is based on both symmetric and asymmetric encryption.SESAME uses Privileged Attribute Certificates (PACs) to authenticate subjects to objects. PACs contain the subjects’ identity , access capabilities for that objects, access time period and lifetime of the PAC. The PAC is digitally-signed so the object can validate it came from the trusted authentication server (Privileged Attribute Server - PAS), which plays a role similar to the KDC within Kerberos.SESAME can be implemented as a full SSO solution or it can also be integrated as an add-on to Kerberos, to provide public key cryptography and role-based access control.Later Kerberos versions and various vendor implementations resolved its initial problems, allowing Kerberos to bypass the SESAME adoption.
CISSPills
That’s all Folks!We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun writing them.For comments, typos, complaints or whatever your want, drop me an e-mail at:
cisspills <at> outlook <dot> comMore resources: Stay tuned on for the next issues; Join ”CISSP Study Group Italia” if you are preparing your exam.
Brought to you by Pierluigi Falcone. More info about me on
Contact Details