View
248
Download
1
Category
Tags:
Preview:
DESCRIPTION
Internet Network and Security
Citation preview
KERBEROS &COVERT CHANNELS
©neo
TOPICS COVERED
• KERBEROS
What is Kerberos? How It Works? Applications of Kerberos
• COVERT CHANNELS
What are Covert Channels? How It Works? Example Conclusion
©neo
KERBEROS
©neo
WHAT IS KERBEROS?
• Kerberos is a secure method for authenticating a request for a service in a computer network.
• Kerberos was developed in the Athena Project at the Massachusetts Institute of Technology (MIT).
• Kerberos lets a user request an encrypted "ticket" from an authentication process that can then be used to request a particular service from a server.
• The user's password does not have to pass through the network.
©neo
Susan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
Susan’sDesktop
Computer
Think “Kerberos Server” and don’t let yourself get mired in terminology.
©neo
Susan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
Susan’sDesktop
Computer
Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc…)
©neo
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
“I’d like to be allowed to get tickets from the Ticket Granting Server, please.
©neo
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service“Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service.”
©neo
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
myPassword
XYZ Service
TGT
©neo
TGT
Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a shiny “Ticket-Granting Ticket”.
The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire “service tickets” for use with services requiring Kerberos authentication.
The TGT contains no password information.
©neo
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
“Let me prove I am Susan to XYZ Service.
Here’s a copy of my TGT!”
use XYZ
TGTTGT
©neo
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGT
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
You’re Susan.Here, take this.
©neo
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
I’m Susan. I’ll prove it. Here’s a copy of my legit
service ticket for XYZ.
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
©neo
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
That’s Susan alright. Let me determine if she is authorized to
use me.
©neo
Authorization checks are performed by the XYZ service…
Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.
©neo
One remaining note:
Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable.
Until a ticket’s expiration, it may be used repeatedly.
©neo
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
ME AGAIN! I’ll prove it. Here’s another copy of my legit service ticket for XYZ.
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
use XYZ
©neo
Susan’sDesktop
ComputerSusan
KeyDistribution
Center
TicketGrantingService
Authen-TicationService
XYZ Service
TGTHey XYZ:
Susan is Susan.CONFIRMED: TGS
Hey XYZ: Susan is Susan.
CONFIRMED: TGS
That’s Susan… again. Let me determine if she is authorized to
use me.
©neo
Authentication
Authorization
Confidentiality
Within networks and small sets of networks
APPLICATIONS
©neo
COVERT CHANNELS
©neo
•“A path of communication that was not designed to be used for communication.”
•Covert channels arise in many situations, particularly in network communications.
•Covert channels are virtually impossible to eliminate, and the emphasis is instead on limiting the capacity of such channels.
WHAT ARE COVERT CHANNELS ?
©neo
Suppose Alice has a TOP SECRET clearance while Bob only has a CONFIDENTIAL clearance. If the file space is shared by all users then Alice and Bob can agree that if Alice wants to send a 1 to Bob, she will create a file named, say, FileXYzW and if she wants to send a 0 she will not create such a file.
Bob can check to see whether file FileXYzW exists, and, if it does he knows Alice has sent him a 1, and if it does not, Alice has sent him a 0. In this way, a single bit of information has been passed through a covert channel, that is, through a means that was not intended for communication by the designers of the system.
FOR EXAMPLE
©neo
A single bit leaking from Alice to Bob is probably not a concern, but Alice could leak any amount of information by synchronizing with Bob.
For example, Alice and Bob could agree that Bob will check for the file FileXYzW once each minute. As before, if the file does not exist, Alice has sent 0, and, if it does exists, Alice has sent a 1.
In this way Alice can (slowly) leak TOP SECRET information to Bob. An printing queue can be similarly used as a covert channel.
©neo
COVERT CHANNELS
Three things are required for a covert channel to exist.
• First, the sender and receiver must have access to a shared resource. • Second, the sender must be able to vary some property of the shared resource that the receiver can observe.• Finally, the sender and receiver must be able to synchronize their communication.
It’s apparent that covert channels are extremely common.
Probably the only way to completely eliminate all covert channels is to eliminate all shared resources and all communication.
COVERT CHANNELS
©neo
Thank you
©neo
Presentation By:
Shweta Agrawal - 02Puneet Bhat - 12Raj Bhatt - 14Shaun Bothelo - 15
©neo
Recommended