SEC390 SEC390 1 1

Integrating PKI and Kerberos Integrating PKI and Kerberos

Authentication services Authentication services
AIberto Pace
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 2
Authentication Methods Authentication Methods
%o technoIogies for authentication
Kerberos and X.509 Certificates (PKI)
%oday at CERN
Kerberos is used in Windos Domains and AFS
PKI is used in aII Grid reIated projects, ith muItipIe
certification authorities
Both technoIogies here to stay
MuItipIe scenarios exist to integrate and
interoperate the to technoIogies
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 3
Kerberos vs PKI ? Kerberos vs PKI ?
Both technoIogies have eak and strong
points
Distributed versus centraIized management
ForardabIe authentication
OffIine authentication
%echnoIogy is different
Asymmetric encryption ith pubIic/private keypairs
versus symmetric encryption and shared secrets
Some detaiIs foIIos .
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 1
PKI basics PKI basics
PKI provides, among other services, an
authentication protocoI reIying on asymmetric
encryption.
One of the keys is kept private, the other is made
pubIic. PubIic keys are distributed using
certificates hich are digitaIIy signed by trusted
authorities
"An intro to "An intro to
PKI and fe PKI and fe
depIoy hints" depIoy hints"
"Py75c%bn&*)9|f "Py75c%bn&*)9|f
De^bDzjF@g5=& De^bDzjF@g5=&
nmdFgegMs" nmdFgegMs"
"An intro to "An intro to
PKI and fe PKI and fe
depIoy hints" depIoy hints"
CIear CIear- -text Input text Input CIear CIear- -text Output text Output Cipher Cipher- -text text
Different keys Different keys
Encryption Encryption Decryption Decryption
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 5
AIice AIice
pub pub
DS DS
Cert Cert
PKI: Obtaining a Certificate PKI: Obtaining a Certificate
Priv Priv pub pub
Certification Server
User generates User generates
a key pair a key pair
Certificate is Certificate is
sent to the user sent to the user
PubIic key is PubIic key is
submitted to CA submitted to CA
for certification for certification
AIice AIice
pub pub
DS DS
Cert Cert
User identity verified, User identity verified,
DigitaI signature added, DigitaI signature added,
Certificate produced Certificate produced
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006
AIice AIice
pub pub
DS DS
Cert Cert
PKI: Authentication ith Certificates PKI: Authentication ith Certificates
Priv Priv
Bob verifies the Bob verifies the
digitaI signature digitaI signature
on the certificate on the certificate
Certificate is Certificate is
sent for sent for
authentication authentication
He can trust that the public
key really belongs to Alice,
but is it Alice standing if
f ront of him ?
AIice AIice
pub pub
DS DS
Cert Cert
AIice AIice Bob Bob
Bob chaIIenges
AIice to encrypt
for hima
randomphrase
he generated
I Like FIoers I Like FIoers
&erD4%@f%% &erD4%@f%%
AIice AIice
pub pub
DS DS
Cert Cert
I Like FIoers I Like FIoers
&erD4%@f%% &erD4%@f%%
?? I Like FIoers I Like FIoers
&erD4%@f%% &erD4%@f%%
Encrypt using private key Encrypt using private key
Decrypt using pubIic Decrypt using pubIic
key in certificate and key in certificate and
compare compare
SEC390 SEC390 2 2
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 Z
Kerberos Differences Kerberos Differences
Kerberos is an authentication protocoI
reIying on symmetrical cryptographic
aIgorithms that use the same key for
encryption as for decryption
Different fromPKI !
"An intro to PKI "An intro to PKI
and fedepIoy and fedepIoy
hints" hints"
"AxCvGsmWe#4^,sdgf "AxCvGsmWe#4^,sdgf
Mir3:dkJe%sY8R Mir3:dkJe%sY8R\\s@! s@!
q3%" q3%"
"An intro to PKI "An intro to PKI
and fedepIoy and fedepIoy
hints" hints"
CIear CIear- -text input text input CIear CIear- -text output text output Cipher Cipher- -text text
Same key Same key
(sharedsecret) (sharedsecret)
Encryption Encryption Decryption Decryption
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 8
Kerberos: Basic principIes Kerberos: Basic principIes
%here is a trusted authority knon as the Key Distribution Center (KDC)
hich is the keeper of secrets.
Every user shares a secret passord ith the KDC
technicaIIy the KDC doesn't kno the passord but rather a one ay hash,
hich is used as the basis for a cryptographic "master key".
%he secret master key is different for each user
As to users don't kno each other master key they have no direct ay of
verifying each other's identity
%he essence of Kerberos is key distribution. %he job of the KDC is to
distribute a unique session key to each pair of users (security
principaIs) that ant to estabIish a secure channeI.
Using symmetricencryption
Everybody has to trust the KDC
KDC
trust trust trust trust
Ma
Mb
Ma
Mb
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 9
Breakthrough of a (simpIified) Breakthrough of a (simpIified)
Kerberos session Kerberos session
AIice ants to communicate ith Bob
bob couId be a server or a service
AIice can communicate secureIy ith the KDC,
using symmetric encryption and the shared
secret (Master Key)
AIice teIIs the KDC that she ants to
communicate ith Bob (knon to the KDC)
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 10
(simpIified) Kerberos session 2 (simpIified) Kerberos session 2
%he KDC generates a unique randomcryptographic key for AIice and
Bob to use (caII this Kab)
He sends back to copies of Kab back to AIice.
%he first copy is for her to use, and is sent to her aIong ith some other
information in a data structure that is encrypted using AIice's master key.
%he second copy of Kab is packaged aIong ith AIice's name in a data
structure encrypted ith Bob's master key. %his is knon as a "ticket".
KDC AIice AIice
Bob Bob
Kab
Kab
AIice AIice
Encrypted using Encrypted using
Encrypted using Encrypted using
Kab
I ant to taIk to Bob I ant to taIk to Bob
Unique Key for AIice/Bob Unique Key for AIice/Bob
communication communication
Ma
Mb
Ma
Mb
Mb
Ma
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 11
What is the ticket ? What is the ticket ?
%he ticket is effectiveIy a message to Bob
that onIy BOB can decrypt
"%his is your KDC. AIice ants to taIk to you, and here's
a session key that I've created for you and AIice to use.
Besides me, onIy you and AIice couId possibIykno the
vaIue of Kab, since I've encrypted it ith your respective
master keys. If your peer can prove knoIedge of this
key, then you can safeIy assume it is AIice."
Kab
AIice AIice Encrypted using Encrypted using
Mb
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 12
Kerberos authentication Kerberos authentication
AIice must send the ticket to Bob
ith proof that she knos K
ab
and she must do it in a ay that aIIos Bob to detect repIays
fromattackers Iistening on the netork here AIice, Bob, and
the KDC are conversing.
%he ticket is sent to Bob, ith an authenticator (her name
and the current time, aII encrypted ith the session keyKab)
Bob takes the ticket, decrypts it, and puIIs Kab out. %hen
decrypts the authenticator using Kab, and compares the
name in the authenticator ith the name in the ticket
If the time is correct, this couId provide evidence that the
authenticator as indeed encrypted ith K
ab
AIice AIice
Bob Bob
Kab
Kab
AIice AIice
Encrypted using Encrypted using
Encrypted using Encrypted using
AIice, 22:34 AIice, 22:34
Authenticator Authenticator
%icket %icket
Kab
Mb
Ma
Mb
SEC390 SEC390 3 3
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 13
Kerberos authentication Kerberos authentication
It time is incorrect, bob reject the request
ith a hint of hat his time is (Bob time isn't a secret)
If the time is correct .
. it's probabIe that the authenticator came fromAIice, but
another person might have been atching netork traffic and
might no be repIaying an earIier attempt. Hoever, if Bob has
recorded the times of authenticators received fromAIice during
the past "five minutes", he can defeat repIay attempts. If this
authenticator yieIds a time Iater than the time of the Iast
authenticator fromAIice, then this message must be fromAIice
%his is hytime synchronization is essentiaI in kerberos and aII
KDC provides aIso time synchronization services
You can see this as a "chaIIenge" on the knoIedge of
the shared secret (Kab):
"prove that you kno Kab by encrypting the current time for me"
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 11
MutuaI authentication MutuaI authentication
AIice has proved her identity to Bob
No AIice ants Bob to prove his identity as eII
she indicates this in her request to himvia a fIag.
After Bob has authenticated AIice, he takes the timestamp she sent,
encrypts it ith Kab, and sends it back to AIice.
AIice decrypts this and verifies that it's the timestamp she originaIIy sent to
Bob
She has authenticated Bob because onIyBob couId have
decrypted the Authenticator she sent
Bob sends just a piece of the information in order to demonstrate
that he as abIe to decrypt the authenticator and manipuIate the
information inside. He chooses the time because that is the one
piece of information that is unique in AIice's message to him
AIice AIice
Bob Bob
Kab
Encrypted using Encrypted using 22:34 22:34
Kab
Kab
Ma
Mb
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 15
Kerberos Secure Communication Kerberos Secure Communication
AIice and Bob share no a unique secret
K
ab
that they use to communicate
AIice AIice
Bob Bob
Kab
Encrypted Encrypted
using using Secure Secure
information / information /
Message Message
Kab
Kab
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 1
ReaI Iife is more compIicated ReaI Iife is more compIicated
ReaI Kerberos incIudes severaI extra steps for additionaI
security
When AIice first Iogs in, she actuaIIyasks the KDC for hat
is caIIed a "ticket granting ticket", or %G%.
%he %G% contains the session key(Kak) to be used by AIice
in her communications ith the KDC throughout the day.
%his expIains hy hen the %G% expiresyou have to rene it
So hen AIice requests a ticket for Bob, she actuaIIysends
to the KDC her %G% pIus an authenticator ith her request.
%he KDC then sends back the AIice/Bob session key Kab
encrypted ith Kak
as opposed to using AIice's master key as described earIier
See various Kerberos references for detaiIs
CERN Certification authority, CERN Certification authority,
PKI and Kerberos integration PKI and Kerberos integration
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 18
Authentication Services at CERN Authentication Services at CERN
For Kerberos:
%o KDC in production, one for Windos computers
(cern.ch domain) one for AFS (cern.ch ceII)
Account and passords pIanned to be synchronized
For the grid
CERN Certification authority
http://cern.ch/service-grid-ca
PIan for 2006 / 2007
Migrate to a ne certification authorityintegrated ith
the kerberos services
http://cern.ch/ca
SEC390 SEC390 4 4
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 19
Ne CERN Certification authority Ne CERN Certification authority
Aim to issue certificates
Recognized by the entire grid community
VaIid to obtain kerberos ticket automaticaIIy
Separate Root CA and Issuing CA
OffIine Root CA:
Run on VirtuaI PC, Server image on removabIe disks
Root trusted by defauIt inside CERN.
OnIine Issuing CA
Issues aII certificate, onIine, connected to the CERN
Human resources database
Web site http://cern.ch/ca
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 20
CA services pIanned CA services pIanned
Issuing User certificates
'softare' cIient certificates
Certifies the identity of a persons
Issuing Host certificates
%o authenticate computers, for exampIe, aII eb servers
requiring https services
Can certify any host in the cern.ch domain based on the CERN
netork database registration
Service certificates foreseen
Issuing SmartCards
Certificate and private key in a HW token
AIIo users to map existing certificates issued by
trusted CA (for exampIe existing Grid certificates)
to their kerberos account.
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 21
DEMO: User Certificate Request DEMO: User Certificate Request
nternet Explorer or Mozilla browsers
can handle automatically certificate request.
Amanual procedure with OpenSSL
is also provided.
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 22
DEMO: Host Certificates DEMO: Host Certificates
Users can request Host certificates for
CERN Hosts they manage
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 23
DEMO: Certificate mapping to DEMO: Certificate mapping to
Existing Account Existing Account
Users can map an existing certificate to
their Kerberos account for authentication
%ypicaIIyfor oners of Grid certificates not issued by
the CERN CA
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 21
PKI / Kerberos integration PKI / Kerberos integration
Priv Priv AIice AIice
pub pub
DS DS
Cert Cert
AIice AIice
Kerberos
KDC
Web Server
%RUS%ED by the KDC
Bob, Resource in
Kerberos domain
AIice AIice
pub pub
DS DS
Cert Cert
Authentication Request Authentication Request
Cert vaIidation, chaIIenge Cert vaIidation, chaIIenge
on knoIedge of priv key on knoIedge of priv key
AIice authenticated AIice authenticated
I need a ticket to taIk toBob I need a ticket to taIk toBob
on behaIf of AIice. on behaIf of AIice.
Kab
Kab
AIice AIice
Mb
M
Kab
AIice AIice
Mb
NormaI Kerberos NormaI Kerberos
Authentication Authentication
See: KerberosConstrainedDeIegation See: KerberosConstrainedDeIegation
SEC390 SEC390 5 5
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 25
Roadmap for 2006 Roadmap for 2006
Obtain accreditation fromthe European Grid PoIicy
Management Authority(.eugridpma.org)
Obtain approvaI of the ne Certificate PoIicy and Certification Practice
(CP/CPS)
See http://www.eugridpma.org/members/
From offIine issuing CA to onIine issuing CA ith FIPS Hardare
moduIe
http://www.eugridpma.org/guidelines/%-AP-classic-20050930-4-
0.pdf
VerifyinteroperabiIityith Windos and Linux Desktops
Mapping beteen Active Directory path and Certificate Subject
Distinguished Name
AIternate user mapping possibIe
Usage of Smartcard on Iinux requires further investigation
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 2
Certificate usage, InteroperabiIity Certificate usage, InteroperabiIity
Once a certificate is instaIIed in the cIient computer
Can authenticate to CERN Websites (Win, Web, MaiI, %erminaI
services, etc.)
ot all CER web sites yet, but planned
Best example of PK / Kerberos interoperability
Can participate in any grid activity, orIdide
Certificate recognized worldwide within the grid community
Secure e-maiI possibIe
Provide a common authentication interface for CERN services: sort of
SingIe Sign On
Mediumto Iong term:
Have the CERN certificates trusted orIdide, not onIy ithin the grid
community
Support Windos and Linux desktop authentication using Smartcard
certificates.
Combine together SmartCards and CERN Access cards.
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 29
Web Authentication exampIe Web Authentication exampIe
Opening a website
f several client certif icates matching server
requirements are f ound, browser asks to choose.
Certificate
authentication
complete.
Cancelled or no
certificate installed
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 30
%echnoIogy not pIatform specific %echnoIogy not pIatform specific
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 31
ExampIe: EmaiI signing ExampIe: EmaiI signing
In OutIook:
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 32
Managing Certificates Managing Certificates
Softare certificates expire and must be reneed
%ypicaIIy once a year
Reneing a certificate is more compIicate than a passord change
Looking toards automating request, distribution and
instaIIation of CIient certificates
For PCs member of a Windos domain, the CERN certificate can
be pushed to the cIient as a domain poIicy
Its reneaI can be handIed automaticaIIy (aIIoing short vaIidity
periods)
Users do not need to understand, be aare, be informed.
100 % transparent.
SimiIar automation IeveIs exist for Linux and Mac OS systems,
but require the computers to be centraIIymanaged
Otherise, Smartcards are a possibIe soIution
Much easier for the user to understand
Longer certificate vaIidity
SEC390 SEC390 6 6
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 33
CERN Access Card CERN Access Card
Use the same SmartCard for:
Windos desktop (and Iaptop)
Logon and Browser authentication
Linux desktop
Browser authentication
Mac OS X desktop
Browser authentication
Remote indos
indows %erminal Services
Remote Linux
Putty (to be defined, possible with OpenSC)
OpenSSH (to be defined, possible with OpenSC)
Exceed (to be confirmed)
WorkShop sul Calcolo e Reti dell'INFN, 6-9 June 2006 31
ConcIusion ConcIusion
CERN is improving its Certificate
Authority service to
issue certificates useabIe ithin the grid community
Further automate certificate issuing procedures
AutomaticaIIymap Certificates to Kerberos accounts
(hen possibIe)
In addition, Certificates issued by other
trusted CA can be mapped to Kerberos
accounts
%his shouId provide a good PKI/Kerberos
interoperabiIity