Part 08 - SSO and Kerberos

Video Activity

In this section we examine single sign-on, the pros and cons associated with it, and a standard that implements it called Kerberos. Kelly presents a wonderful "carnival" analogy for Kerberos that is very helpful in understanding its operation! The challenge facing any large organization is how to manage user accounts securely. In peer-to-peer netwo...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

12 hours 41 minutes
Video Description

In this section we examine single sign-on, the pros and cons associated with it, and a standard that implements it called Kerberos. Kelly presents a wonderful "carnival" analogy for Kerberos that is very helpful in understanding its operation! The challenge facing any large organization is how to manage user accounts securely. In peer-to-peer networking situations, it's a chore to create and disable multiple user accounts without any centralized means. A solution is to move to a client/server architecture or the implementation a domain controller. Several standards for this are LDAP, which is used by Active Directory, Sesame, KryptoKnight, and Kerberos. We next discuss the pros and cons of single sign-on. Pros consist of ease of use for end users, centralized control and ease of administration. On the flip side, cons consist of a single point of failure, the necessity for standards, and with convenience, comes potentially giving away the "keys to the kingdom." Kerberos is covered next and is a standard that has been around for a long. It was originally developed by MIT. It uses symmetric cryptography and its core security feature is that it never puts passwords on the network. This is vital for preventing replay attacks. Kelly then presents her carnival analogy to explain the inner workings of Kerberos. Concepts such as the realm, wrist bands, and ride tickets are presented. You should find this way of viewing things very helpful in understanding Kerberos! Finally, concerns and weaknesses with Kerberos are discussed, and though Kerberos is not perfect, it's still a pretty good solution for single sign-on.

Video Transcription
Okay, So to continue our discussion on the idea of single sign on, you know, you understand the significance. We really take single sign on for granted today. But if you go back 15 20 years, a lot of offices specialist small ones were on peer to peer networks.
So I could, you know, there was no server. Each computer was kind of an equal partnership in the network. If if you are an equal partner in the network
and files could be located, you know, on anybody system and to access computer, eh? I had to have set of log in credentials and then to access B. I have different walking credentials and C and so on. So it was Ah, it was a very complex environment. You know, I might have lots of different passwords to keep up with.
There was no real central means of pushing out the security
or distributing software. You know, the peer to peer networks were certainly, uh, only good for very small environment and really only an option if cost was your main driver. That's not to say peer to peer networks aren't around today, but they're certainly much fewer
eso having a wall going to all these different systems and provide credentials for everything I wanted to access.
It was very, very cumbersome, very frustrating to users. So that led to us really being pushed to a single sign of environment where we had the client server and we log onto the server or the domain controller. And in exchange for our credentials, we were giving and given, you know, an access token.
And that token had a list of our group memberships. And every time we would access a resource.
At least that's how it works with Windows. That token would be matched up against the access control list on that resource. So I'm in the sales group sales people have read permission to this folder.
I get to read, you know, is basically the way that worked. So with single sign on, we have the benefit of just providing your credentials one time,
Um, you know, earlier on, we wanted to you we have to use log in scripts because we didn't really have a way of making it easy to provide those log in credentials, you know, and then connecting to various strives throughout the network and all of those elements, so we scripted them. Um,
l dap active directory allows us that single sign on.
And the reason that that the single sign on works today in many environments is through a network authentication protocol called Kurt Bruce
and Curb Rose. Ah, you know, it is gonna be one of the things that I think is gonna be highly testable. You can see the pros and the cons of single sign on here. They should be pretty self explanatory. The downside is this idea of keys to the kingdom. If I only have one set of credentials to get access to everything, well, you get that one set of credentials and you have
access to everything that I would have. So that's definitely a con. But the benefits, really, you know, the greater consistency, that ease of administration, that he's on users, all that those really seem to outweigh the potential for negative.
So when we do talk about curb Rose, let's go ahead and come on over. So this is a network authentication protocol king from M. I. T.
And has been around in UNIX for a long, long time. It has been around in windows for a long, long time, when just 2000 was the first of the Microsoft operating systems to bring in Kerberos and we're still using it.
It uses symmetric cryptography, which is very important passwords or never transmitted across the networks, that that's big benefit. It's one thing to encrypt passwords, but let's never put him on the network at all. Gives us, you know, some additional security, so reflate cats aren't an issue at all.
So let's talk a little bit about some of the components with Curb Rose.
Now, I'm gonna leave this here. I don't want to go through and justifying every one of these terms. I'd rather kind of cover Kerberos as a whole. And let's get kind of the gist of it before I just start reading a laundry list of definitions.
But I have this here. Uh, you might wanna pause it and get these definitions down.
I think it will be helpful for the illustration I give you on the next couple slides. So maybe Paul's take a few notes here, make sure that you know the acronyms for authentication server ticket grating server. Ah, what a ticket is that various principals and this will come up handy in the next slide. Now
let's talk about the curb proves Carnival. I think this is a good analogy. Hopefully, that'll help folks understand what Kerberos does. So let's get out of the I t world. Just a second. Let's talk about me
as of course we would. Um,
and I mentioned to you all that I grew up in North Carolina, specifically greens where North Carolina and Greensboro, North Carolina is a terribly dull place to grow up. If your kid, um right Middle Guilford County There was not a lot of action there 25 years ago,
30 years ago whenever Waas um
is so, you know, kind of a dull environment. Except every April, the G Y C carnival would come to town, and that was always so exciting. And you drive past Carolina Circle Mall and there was a big white fence that would go up, and that's how you knew the carnival was going was going to go on.
And that fence the purpose of the fence was to isolate the rest of the shopping center parking lot from where the carnival was gonna be.
So inside the fence was the carnival realm. Everything outside the fence born. Okay, so that's the first piece. Now, the second element that we've got to think about
The carnival always opened on Wednesday nights. And when you show up on Wednesday night, admission to the carnival was very cheap. Deals a dollar. Sometimes they have food drives and bring four cans of beets and you get into the carnival for free. God forbid you bringing fought for cantons of
decent vegetables. It's always beats for some reason,
but anyway, you show up and you pay your admission. Now I pay my dollar, bring the food into do whatever. And I got into the carnival realm. I was admitted to the Rome, but did that actually let me ride the rides Now that didn't let me ride the rides that let me in the realm.
Really? What paying my admission did is give me a little restrict. You know, the yellow plastic wrist straps that I'm talking about, the ones that are either plastic or paper. And you spend the whole night tugging at, um well paying. My admission gave me the wrist strap. The significance of the wrist strap waas it showed the guy at the ticket booth
that I'd come in the right way,
that I didn't jump the fence, that I paid my dollar, that I came into the realm the proper way.
It's a matter of fact if I go to the ticket booth and try to buy tickets without my wrist strap, he says. No, go back in the right way. I can't tell you tickets without your restaurant.
So going through admission gives me a wrist strap. It doesn't let me ride the rides, but it lets me do what I need to, which is buy tickets. It's the tickets that let me ride right now. Um, when I was young, before I was old enough to go on my own, I went with my family, particularly my mom,
and I just want to go on record saying, My mother is a lovely
woman, lovely woman, but she is tight with a penny, and I mean, that night I went out to lunch with her a while back and I said, Mom, you know what? I make fun of you in class trip in kind of a cheapskate. And I said this because she was at lunch and had her calculator out to figure out 15% tip,
but she had her calculator out because she didn't want to figure out 15%
on the tax she was on. Lee gonna pay 15% on the meal itself. And I thought, you know, this woman is sitting on a pile of money somewhere. Probably is. Ah, but anyway, hi, di aggressive it.
But think about this. Let's say I was gonna go ride the Ferris wheel. I'm staying with my mom, and the fierce will cost four tickets.
Now, do you think my mom gave me a $20 bill? It'd just go have a nice time, Kelly.
Oh, yeah. Ferris wheel was four tickets. What did I get?
Four sad little measly tickets. And I took my well, sad, measly tickets. And I rode that Ferris wheel, and it was fun. I want to ride it again. Can I ride it again on the same tickets? Knew what will have to do back to the ticket booth.
All right, now, wanna ride the bumper cars? What do I have to do? Back to the ticket booth? And by the way, parents And for those of you that have Children. Give your kids a little bit of money. I am 45 years old, still scarred by the tragic incidents of my childhood.
Don't be cheap
are. But you get the point of this once. The admission. How many times to the ticket booth?
Well, you go back to the ticket booth for every ride you want to ride. And that really is the way of Kerberos. I enter the realm one time, but for everything that I want to do within the realm, I have to get tickets
and units. Refers to the environment is a realm. Windows calls it a domain. But ultimately you get the gist of it.
So let's take this a little bit more technical. Okay, let's think about this in terms of networking. So
when I log in, I provide user name and password. What actually happens is my password gets set aside. The local security accounts manager is gonna hang on to. That password was really needed a minute,
but my user name is sent to the authentication service, not my password. Okay, well, the authentication service is a domain controller, so it has all the user names, but it also has all the passwords, even though they're encrypted, it still has access to those passwords. So ultimately,
what happens is my password is used to encrypt
the ticket granting ticket. That's the equivalent of my bra strap. Right? So
my ticket running ticket is what I need to get to the ticket booth, right? I have to get that t g t to get in the realm.
Well, it's encrypted with my passwords. So what's the only thing that will decrypt it? My password. And if I had typed my password incorrectly, I'm able to decrypt the t g t.
I'm allowed into the realm. And more importantly or equally importantly, I'm allowed to talk to the ticket booth because if I didn't successfully decrypt the T g t the ticket booth knows I didn't come in the right way. I didn't provide the right password. So simply the fact that I have a t. G t
proves to the ticket booth that I came in the correct path.
Okay, so
we don't call it the ticket booth and curb Rose. We call it the TGS, the ticket ranting service. But whenever I wanna access a resource in the network I go and get a ticket from the ticket grading service, right? It'll only give me a ticket if my ticket granting ticket so redundant it will only give me a ticket
if I have a ticket renting ticket.
Um, it's so the fact that I have a ticket raining ticket proves again that I authenticated. All right, now I wanna print to print server, eh? So what do I do? I go to the ticket booth
with my t g t. In a request print to print server, eh? What do I get? I get a ticket.
I send that ticket and the print job to print server A and I'm allowed to print.
Now, what's interesting is what's on the ticket.
So I get a ticket from the TGS, the ticket rating service, And on that ticket,
two copies of the exact same session key
the exact same session key. And I know that seems weird, but the beauty of this is the first copy of the session. Key is encrypted with my password. The second copy of the session Key is encrypted with the service is password. So the only way my system knows the session key
is again. We go back and pull that password from when it was entered earlier, and if the correct password had been entered
that I'm able to decrypt the session key.
All right. Now I can send my print job encrypted with that session key to the print server and on Lee, the correct print server has the key to decrypt the session key again. We talked about keys encrypted with keys. So the first copy of the session he's encrypted with Mikey Service Week, the second copy
of the session. He is encrypted with print Server A ski.
What that does is that gives us another layer of authentication because only my password, which is bound to a key, can unlock the session key on Lee. The servers rial ki can decrypt the session key. So again, the fact that we were both able to find the same session key
and if we weren't the Predator was not gonna be able to decrypt my communication anyway, right? So this is all about authentication, and it's about mutual authentication because not only do I authenticate to print server a print server, a authenticates back to me by the mere fact that it has the session keep
right, So there's a lot of back and forth, and the reason there's so much back and forth is because we're using symmetric photography. We're not using asymmetric cryptography because, quite honestly, Kerberos is, um, is a network authentication protocol that has to be able to work
whether or not you have a network infrastructure, right or not, a network infrastructure, but a public key infrastructure.
So Kerberos uses symmetric cryptography to distribute a session key among parties. But in order to do that, there has to be a lot of back and forth. Her bro's can be tricky, so you may want to replay the slides and just make sure you have an idea of that back and forth.
But what Kerberos, the big benefit that it gives us his mutual authentication.
It also gives us periodic re authentication because the idea of that ticket as I go to other resource is on Lee.
I will have that have entered that password correctly and continue to be able to decrypt tickets meant for me. So the idea that somebody steps in with a man in the middle attack or whatever, they're still not gonna have that original password. And I hope this makes sense because Carver's is pretty cool. It's not perfect,
but it's certainly what we've been using for a number of years, and we continue to enhance upon it.
Um, but ultimately, that's the way it works. Now, don't forget, I could go through the admission booth at the carnival. I could get my tickets and I could still get to the Ferris wheel. And it say, You must be this high to ride this ride and I'm not that tall.
Access control. This can still prohibit me from printing to the printer or doing whatever it is I'm trying to do, but I haven't least authenticated. And that's what Kerberos is primarily about. It was originally described as the three headed dog, you know, authentication, authorization and accounting. But, you know, certainly in the window's environment,
its main focus really is on authentication.
Now Kerberos is a perfect ah, there are always issues, you know, corporate can't prevent password guessing car versus very time sensitive. So that if, um,
your clocks are out of sync, went out of sync more than five minutes. Covers doesn't work. You get an air message, which is one of the reasons with Windows 2000 forward
devices automatically started sinking with an Internet time server rather than asking Administrator Inter date in time when they set up the operating system. Pulling from a time server
helps keep that consistent. You know the other reasons that release for forensics and, uh, investigations, but it certainly helps with curb Rose tickets were stored on the work station so the workstations compromised. That could lead towards identity compromise the K T. C.
Which. I don't know that I mentioned the K T. C.
We talk about the authentication server or authenticating server in the ticket granting server, and we talked about those. Like theirs were two distinctly separate systems. But honestly, those air two distinctly separate service is running on the same system, and that system is called the K D. C. The key distribution soon.
So a man with a great target if I'm an attacker you take down the K D. C. Curveballs doesn't work. No one has. Access
to the networks are certainly a single point of failure on very desirable from an attacker
password guessing attacks. Corporate's doesn't have any element to detect that. But you know, you can You can get that elsewhere through group policy. So again, Kurt Busch is what we're using. Not perfect, but still pretty good.
Up Next

Our free online CISSP (8 domains) training covers topics ranging from operations security, telecommunications, network and internet security, access control systems and methodology and business continuity planning.

Instructed By