Professional Documents
Culture Documents
Kerberos 3557
Kerberos 3557
Uploaded by
Phong HoCopyright
Available Formats
Share this document
Did you find this document useful?
Is this content inappropriate?
Report this DocumentCopyright:
Available Formats
Kerberos 3557
Kerberos 3557
Uploaded by
Phong HoCopyright:
Available Formats
HC VIN CNG NGH BU CHNH VIN THNG TPHCM KHOA CNG NGH THNG TIN II
-----[\ [\-----
TI: INFORMATION SECURITY GIAO THC XC THC KERBEROS
HC VIN CNG NGH BU CHNH VIN THNG HCM KHOA CNG NGH THNG TIN II
ti:
INFORMATION SECURITY GIAO THC XC THC KERBEROS
Gio vin hng dn: Thnh vin nhm: Nguyn Duy Cng Thn on ng Hi
Thy L Phc 406170004 406170018
PTIT_D06THA1
Kerberos
I. II. III. IV. V. VI. VII. VIII. IX. X. Tng quan Lch s pht trin Mt s khi nim M hnh Kerberos C ch hot ng Ci t Kerberos Kerberos 5 Securiry u nhc im ca Kerberos Trust Relationship
2|Giao thc xc thc Kerberos
PTIT_D06THA1
I.Tng quan:
Kerberos l mt giao thc mt m dng xc thc trong cc mng my tnh ho t ng trn nhng ng truyn khng an ton c cng khai t nm 1989. Giao thc Kerberos c kh nng chng li vic nghe ln hay gi li cc gi tin c v m bo tnh ton vn ca d liu. Mc tiu khi thit k giao thc ny l nhm vo m hnh client - server v m bo nhn thc cho c 2 chiu. Tn ca giao thc Kerberos c ly t tn ca con ch ba u Cerberus canh gc cng a ngc trong thn thoi Hy Lp Cc h iu hnh Windows 2000, Windows XP v Windows Server 2003 v sau ny s dng mt phin bn Kerberos lm phng php mc nh xc thc. H iu hnh Mac OS X cng s dng Kerberos trong cc phin bn Clients v Server ca mnh.
II.Lch s pht trin:
Hc vin k thut Massachusetts (MIT) pht trin Kerberos bo v cc dch v mng cung cp bi d n Athena Giao thc c pht trin di nhiu phin b n, trong cc phin b n t 1 n 3 ch dng trong ni b MIT. Cc tc gi chnh ca phin bn 4, Steve Miller v Clifford Neuman, xu t bn giao thc ra cng chng vo cui thp nin 1980, mc d mc ch chnh ca h l ch phc v cho d n Athena. Phin bn 5, do John Kohl v Clifford Neuman thit k, xut hin trong ti liu (RFC1510) RFC 1510 - The Kerberos Network Authentication Service (V5) vo nm 1993 (c thay th bi RFC 4120 vo nm 2005 - RFC 4120 The Kerberos Network Authentication Service (V5) vi mc ch sa li ca phin b n 4.
III.Mt s khi nim :
Realm , Principal, instance : * Realm: l mt trng hay mt lnh vc, n tng t nh 1 domain nhng khng phi 1 domain * Instance: phn ch thch b sung thm * Principal: Mi thc th cha trong b ci t Kerberos, bao gm c ngi dng c nhn, my tnh, v cc d ch v ang chy trn my ch, c mt principal lin kt vi n. Mi principal lin kt vi mt kho di hn. Kha ny c th l mt mt khu hay cm t mt khu. Cc principal l tn duy nht trn ton cu. thc hin vic ny, principal c chia thnh mt cu trc th bc. Mi principal bt u vi mt tn ngi dng ho c tn dch v. Tn ngi dng ho c tn dch v ny ph thuc ty vo cc instance khc nhau. Instance c s dng trong hai tnh hung: dch v cho principal , v to principal c bit cho vic s dng qun tr. V d, cc qun tr vin c th c hai lnh 3|Giao thc xc thc Kerberos
PTIT_D06THA1 o: mt l s dng hng ngy, v mt ngi (mt admin "chnh") s dng ch khi c cc nhu cu c quyn qun tr cao. V d tn ngi dng v cc ty chn, kt hp vi nhau, to thnh mt thc th duy nht trong mt realm nht nh. Mi trnh ng dng Kerberos nh ngha mt realm qun tr kim sot, iu phn bit vi tt c cc trnh ng dng Kerberos khc. Kerberos nh ngha n nh l tn ca realm. Theo quy c, cc realm ca Kerberos c mt DNS domain l 1 domain c chuyn i sang ch hoa.V d ptit.org tr thnh PTIT.ORG V d: Duy Cng l 1 sinh vin ca lp IT ca trng PTIT c domain name l ptit.org th principal m Kerberos gn cho Cngl: cuong@IT.PTIT.ORG Trong IT.PTIT.ORG la Realm, khng c instance.
*i vi Kerberos 4: c 2 cu trc:
+ Username[/instance]@REALM
+ Service/fully-qualified-domain-name@REALM ng Hi l 1 sinh vin ca lp IT nm trong ban qun tr ca trng PTIT c domain name: ptit.org th principal m Kerberos gn cho ng Hi l: hai.admin@IT.PTIT.ORG V d ny cng nh v d trn ch khc l c thm trng instance la admin. *i vi Kerberos 5: Trong thc t c 1 s trng hp 2 my c cng tn host nhng ma 2 domain khc nhau.V d, bn ng Hi t 1 v bn Hng Hi t 2 ca cng lp cng trng. Ta gi s bn ng Hi thuc domain it.ptit.org cn b n Hng Hi thuc domain it.ptit.edu .V 2 b n u thuc cng 1 realm la IT.PTIT.ORG Vy i vi Kerberos 4 th 2 bn ny c cng principal l hai@IT.PTIT.ORG Trc thc trng ny , ngi ta cho ra i Kerberos 5, c 2 cu trc :
- Username[/instance]@REALM
- Service/fully-qualified-domain-name@REALM By gi i vi v d trn ta c : + i vi bn ng Hi : hai/it.ptit.org@IT.PTIT.ORG + i vi bn Hng Hi : hai/it.ptit.edu@IT.PTIT.ORG KDC Key Distribution Center: Trung tm phn phi kha. Key Distribution Center cu Kerberos(KDC), l mt phn ca h thng Kerberos. Trn l thuyt KDC bao gm ba thnh phn: - Database ca tt c cc principal v cc kha m ha ca n gia nhp - Anthentication Server - Ticket Granting Server. Ngi ta thng gom chng li trong mt chng trnh duy nht v chy cng nhau trong mt process duy nht. Trong 1 realm ca Kerberos phi c t nht mt KDC. Khi nhu cu i hi chy 1 KDC trn 1 my bnh thng, ngi ta khuyn rng nn dng 1 KDC 4|Giao thc xc thc Kerberos
PTIT_D06THA1 ring bit. V nu h thng mng c nhiu KDC kt ni nhau th tt c cc d liu quan trng, bao gm cc key ca cc principal trong realm ca bn, u c trn mi KDC trong mng,iu c ngha l c nhiu nguy c b tn cng hn.Ngoi ra, cho ngi dng xc thc thnh cng n Kerberos-kch hot dch v, t nht mt KDC phi c hot ng mi lc. Mi Key Distribution Center cha 1 database ca tt c cc principal c trong realm ny, cng nh cc b mt lin quan ca n. Phn mm KDC cha hu ht cc thong tin b sung ca cc principal trong database ny, chng hn nh thi gian sng ca mt khu, mt khu thay i ln cui cng l g, v nhiu th khc na. Windows 2000 v 2003 gi c s d liu ny trong Active Directory(cha trong LDAP). Trong mt realm c th cha nhiu Kerberos KDC , database trn mi KDC phi c ng b ha m bo thng nht xc thc. Nu mt my ch c d liu lu th s rt d tht bi khi tm cch hp php xc thc vi my ch , v n khng update b n sao ca cc c s d liu ca Kerberos. Khng c phng php tiu chun ng b ha c xc nh bng giao thc Kerberos, do cc nh cung cp to ra cc giao thc bn sao ring ca h SS Service Server: My ch dch v - mail server, File server, application server. Bt k mt Server cung cp dch v no u c th l Service Server AS-Authentication Server:My ch xc thc Khi 1 user mun tham gia vo 1 realm ca Kerberos th thay v user phi xc thc vi KDC th phi xc thc vi AS Khi nhn yu cu tham gia h thng Kerberos ca 1 client, AS kim tra nhn dnh ca ngi yu cu c nm trong c s d liu ca mnh khng. Nu c th AS gi 2 gi tin sau ti ngi s dng: Gi tin A: "Kha phin TGS/my khch" c mt m ha vi kha b mt ca ngi s dng. Gi tin B: "V chp thun" (bao gm ch danh ngi s dng (ID), a ch mng ca ngi s dng, thi hn ca v v "Kha phin TGS/my khch") c mt m ha vi kha b mt ca TGS. TGS-Ticket Granting Server:My ch cp pht v TGS l b phn nhn v chp thun TGT t user.TGS c nhim v kim tra cc v TGT c gi tr khng bng cch kim tra xem n c c m ha bi key vi key ca TGT server Kerberos khng.Nu ng th gi cho user v dch v m user mun s dng. Ticket: V c cp bi TGS v my ch ng dng, cung cp s chng thc cho my ch ng dng hoc ti nguyn. Mt v Kerberos l mt cu trc d liu c m ha do KDC to ra share 1 key m ha ca 1 phin duy nht.V to ra c 2 mc ch : xc nhn danh tnh ca ngi tham gia v khi to 1 kha ngn hn 2 bn c th giao tip an ton (gi la kha phin). Cc trng chnh m mi v ca Kerberos u c l: Yu cu tn ca principal 5|Giao thc xc thc Kerberos
PTIT_D06THA1 Dch v ca principal c tn ny l g Khi no th v c hiu lc,khi no v ht hiu lc(Timestamp,Lifetime) Danh sch IP m v c th c dng t Chia s kha b mt (session key) ca user/ ng dng truyn thong 1 v c to bi KDC c m ha m bo rng nhng ngi khng c kha khng m c n chnh sa,nh l tng lifetime ca n ln hoc tn nh danh ca client principal Bi v Kerberos ch xc thc 1 ln khi ng nhp nn sau khi ng nhp th bt k ai ngi trn my u c th tham gia vo h thng Kerberos.V vy,v trong Kerberos c lifetime ngn , kho ng t 10-24h .iu ny thun tin cho vic ng nhp 1 ln trong ngy lm vic ca user, hn ch vic tn cng ly mt d liu quan trng. Seasion Key: c s dng cho 1 seasion gia client v server. Ticket cache: Tt c cc v ca Kerberos u c lu trong 1 file nm trong b nh cache gi l Credential cache .Microsoft v Apple la chn phng n ny.Khi ng nhp vo h thng Kerberos th cc v c lu trong b nh cache v khi ng xut th mi th c xa ht. Cc thng tin cha trong cache gm : user principal, cc v m user c trong su t phin ng nhp ca h.VD: $ klist Ticket cache: FILE:/tmp/krb5cc_502_auJKaJ Default principal: jgarman@WEDGIE.ORG Valid starting Expires Service principal 09/10/02 01:48:12 09/10/02 11:48:12 krbtgt/WEDGIE.ORG@WEDGIE.ORG 09/10/02 01:48:14 09/10/02 11:48:12 host/cfs.wedgie.org@WEDGIE.ORG 09/10/02 04:20:42 09/10/02 11:48:12 host/web.wedgie.org@WEDGIE.ORG Trong v d ny, b nh cache cho user principal ca jgarman@WEDGIE.ORG c lu trong tp tin / tmp/krb5cc_502_auJKaJ. Credential cache ch c th c kt hp vi mt user principal ti mt thi gian, nu ta mun truy cp cc dch v vi mt principal ca jgarman / admin @ WEDGIE.ORG, ta c th ph hy v hin ti ca mnh v ti ng nhp Kerberos theo jgarman / admin@WEDGIE.ORG.
IV.M hnh Kerberos tiu biu :
Di y l m hnh h thng Kerberos tiu biu m chng ta thng thy hin nay,bao gm : Client hay user Thit b truyn thng : router,switch,hub,. Kerberos System : AS , TGS, database Server cung cp dch v :Mail server, may in,
6|Giao thc xc thc Kerberos
PTIT_D06THA1
V.C ch hot ng:
Hot ng ni chung:
Sau y l m t mt phin giao dch (gin lc) ca Kerberos. Trong : AS = My ch nhn thc (authentication server), TGS = My ch cp v (ticket granting server), SS = My ch dch v (service server). Mt cch vn tt: ngi s dng nhn thc mnh vi my ch nhn thc AS, sau chng minh vi my ch cp v TGS rng mnh c nhn thc nhn v, cui cng chng minh vi my ch dch v SS rng mnh c chp thun s dng dch v. 1. Ngi s dng nhp tn v mt khu ti my tnh ca mnh (my khch). 2. Phn mm my khch thc hin hm bm mt chiu trn mt khu nhn c. Kt qu s c dng lm kha b mt ca ngi s dng. 3. Phn mm my khch gi mt gi tin (khng mt m ha) ti my ch dch v AS yu cu dch v. Ni dung ca gi tin i : "ngi dng XYZ mun s dng dch v". Cn ch l c kho b mt ln mt khu u khng c gi ti AS. 4. AS kim tra nhn dnh ca ngi yu cu c nm trong c s d liu ca mnh khng. Nu c th AS gi 2 gi tin sau ti ngi s dng: Gi tin A: "Kha phin TGS/my khch" c mt m ha vi kha b mt ca ngi s dng. Gi tin B: "V chp thun" (bao gm ch danh ngi s dng (ID), a ch mng ca ngi s dng, thi hn ca v v "Kha phin TGS/my khch") c mt m ha vi kha b mt ca TGS. 5. Khi nhn c 2 gi tin trn, phn mm my khch gii m gi tin A c kha phin vi TGS. (Ngi s dng khng th gii m c gi tin B v n c m ha vi kha b mt ca TGS). Ti thi im ny, ngi dng c th 7|Giao thc xc thc Kerberos
PTIT_D06THA1 nhn thc mnh vi TGS. 6. Khi yu cu dch v, ngi s dng gi 2 gi tin sau ti TGS: Gi tin C: Bao gm "V chp thun" t gi tin B v ch danh (ID) ca yu cu dch v. Gi tin D: Phn nhn thc (bao gm ch danh ngi s dng v thi im yu cu), mt m ha vi "Kha phin TGS/my khch". 7. Khi nhn c 2 gi tin C v D, TGS gii m D ri gi 2 gi tin sau ti ngi s dng: Gi tin E: "V" (bao gm ch danh ngi s dng, a ch mng ngi s dng, thi hn s dng v "Kha phin my ch/my khch") mt m ha vi kha b mt ca my ch cung cp dch v. Gi tin F: "Kha phin my ch/my khch" mt m ha vi "Kha phin TGS/my khch". 8. Khi nhn c 2 gi tin E v F, ngi s dng c thng tin nhn thc vi my ch cung cp dch v SS. My khch gi ti SS 2 gi tin: Gi tin E thu c t bc trc (trong c "Kha phin my ch/my khch" mt m ha vi kha b mt ca SS). Gi tin G: phn nhn thc mi, bao gm ch danh ngi s dng, thi im yu cu v c mt m ha vi "Kha phin my ch/my khch". 9. SS gii m "V" b ng kha b mt ca mnh v gi gi tin sau ti ngi s dng xc nhn nh danh ca mnh v khng nh s ng cung cp dch v: Gi tin H: Thi im trong gi tin yu cu dch v cng thm 1, mt m ha vi "Kha phin my ch/my khch". 10. My khch gii m gi tin xc nhn v kim tra thi gian c c cp nht chnh xc. Nu ng th ngi s dng c th tin tng vo my ch SS v b t u gi yu cu s dng dch v. 11. My ch cung cp dch v cho ngi s dng.
Hot ng da trn kho st gi tin :
Al -> AS: ID || TGS ID || TimeStamp1 (TS1) AS: kim tra TS1, to Seasion key (KAl, TGS) v TGT TGT: (TGS ID || Alices ID || Alices AD || KAl, TGS || (TS2) || Lifetime2 ) E(TGT, KTGS ) AS -> Al: E(TGT || TGS ID || KAl, TGS || (TS2) || Lifetime2), (KAl)) Alice: D(packet, (KAl)). Kim tra TS2 v Lifetime2. To authentication cho TGS: ATGS: E(Alices ID || Alices AD || (TS3), KAl, TGS ). Al -> TGS: TGT || ATGS || ES ID. TGS: TGT || ATGS || ES ID. D(TGT, KTGS ). TGS: TGS ID || Alices ID || Alices AD || KAl, TGS || (TS2) || Lifetime2. D(ATGS , KAl, TGS ). Alices ID || Alices AD || (TS3). TGS kim tra TS3, sinh (KAl, ES), TGT to ES ticket E ((ES ID || KAl, ES || Alices ID || Alices AD || (TS4) || Lifetime4), KES ) TGS -> Al: (AAl) : E((ES ticket || ES ID || KAl, ES ||(TS4)), KAl, TGS ) Alice: D(AAl, KAl ) ES ticket || ES ID || KAl, ES || (TS4). (AES) : E((Alices ID || Alices AD || (TS5) , KAl, ES ) Al -> ES: ES ticket || AES .
8|Giao thc xc thc Kerberos
PTIT_D06THA1 ES: D(ES ticket, KES ) ES ID || KAl, ES || Alices ID || Alices AD || (TS4) || Lifetime4 . D(AES , KAl, ES ) Alices ID || Alices AD || (TS5). ES -> (AAl) vi (TS5 + 1) v m ha vi KAl, ES . ES v Alice tip tc trao i vi thng tin c m ha KAl, ES .
VI. Ci t Kerberos
Cc bc ci t Kerberos c cc bc chnh sau: 1. K hoch ci t: Chn nn tng v h iu hnh Vic chn nn tng v h iu hnh dnh cho bn nu bn s dng Window domain controller nh 1 h thng KDC. Tuy nhin nu bn s dng trn nn UNIX KDC th bn phi xem xt nn tng bn s chy KDCs. Cc mi quan tm thc s khi la chn mt nn tng chy Kerberos KDCs ca bn l s ng tin cy. Chng ti mnh m khuyn co rng mt a ring bit (hoc tt hn, mt b a RAID) c s dng lu gi c s d liu Kerberos, v mt phn vng ring bit c s dng gi tt c cc file log. Gi tp tin ng nhp vo mt phn vng ring bit. Chn mt KDC package C nhiu KDCs khc nhau c sn t cc nh cung cp khc nhau, c thng mi v m ngu n m. Mi s thc thi KDC l khc nhau, vi nhng li th v bt li khc nhau MIT Chng ti s bt u vi MIT. Nhiu t chc ln, ch yu l cc trng i hc, s dng MIT KDCs x l xc thc. MIT Kerberos c mt c s h tr ln v n c s dng trong nhiu mi trng, gip gii quyt li trn h thng. MIT Kerberos c h tr cc loi Kerberos m ha tiu chu n, ng ch l 3 DES. Ngoi ra, phin b n mi nht ca MIT Kerberos, h tr kiu m ha RC4 c s dng bi dch v Microsoft Active Directory Kerberos cng nh (AES). MIT l mt s la chn tuyt vi v s h tr rng v kh nng tng thch ng dng. Heimdal Cng nh MIT, c h tr y cho 5 Kerberos, Kerberos 4 C mt s ci tin hn MIT Kerberos. Trc tin, Heimdal h tr s truyn c s d liu gia tng, cho php Heimdal KDCs ch gi phn thay i ca c s d liu ca my ch Kerberos n cc my ch khi n c cp nht, thay v ton b c s d liu truyn mi khi mt bn cp nht c thc hin. Ngoi ra, Heimdal tch hp h tr cho AFS-Kerberos 5 kh nng tng tc. Heimdal c tch hp vi mt s min ph h iu hnh, bao gm c BSDs: OpenBSD, NetBSD, v FreeBSD. Heimdal l mt s la chn tt nu bn ang lp k hoch s dng Unix KDC. Windows domain controllers Vic thc thi Kerberos c trong Windows 2000 v sau. 2. KDC Installation Cc bc thit lp KDC ca MIT v Heimdal Thit lp s phn phi 9|Giao thc xc thc Kerberos
PTIT_D06THA1 To 1 lnh a Khi ng my ch Kim tra Thm cc KDCs ph Window domain controller To 1 lnh a: trn Window server 2008 Vo Start -> Run -> cmd -> g lnh dcpromo Hp thoi Welcome to the Active Directory Domain Services Installation Wizard: chn Use advanced mode installation >Next
Hp thoi Choose a Deployment Configuration: chn Create a new domain in a new forest > Next
10 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1
Hp thoi Name the Forest RootDomain: Nhp tn cuong.net > Next
H thng s kim tra tn min va nhp
Hp thoi Domain NetBIOS Name =>Next
11 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1
Hp thoi Set Forest Functional Level: chn Windows Server 2008 => Next
Hp thoi Additional Domain Controller Options:chn DNS server =>
Next
12 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1
Hp thoi Active Directory Domain Services Installation Wizard: Yes
Hp tha Location for Database Log Files, and SYSVOL: Next
Hp thoi Directory Services Restore Mode Administrator Password: Nhp pass > Next
13 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1
Hp thoi Summary:
H thng lm vic Finish:
3. DNS and Kerberos S tham gia ca DNS trong h thng Kerberos l rt cn thit, h tr cc nhiu chc nng trong lnh a ker ca bn. 14 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1 Kerberos c th s dng giao thc DNS l mt a im dch v, bng cch s dng bn ghi DNS SRV nh c nh ngha trong RFC 2052. Ngo i ra, Kerberos c th s dng mt bn ghi TXT nh v lnh vc thch hp cho mt my ch cho hay tn min. Vi nhng b n ghi DNS, Kerberos client c th tm thy KDCs thch hp m khng cn s dng mt tp tin cu hnh. Windows s thit lp cc bn ghi SRV cn thit t ng khi mt min Active Directory c to ra. Nhng ngi s dng Unix cho KDCs ca h c th to cc mc nhp DNS b ng tay trong khu tp ca h nh l mt s thun tin cho khch hng.
VII.Kerberos 5 :
Qua chng V chng ta bit v c ch hot ng ca Kerberos, phn ny chng ti xin gii thiu thm nhng chc nng b sung m Kerberos 5 c v nhng la chn c th khi chng ta s dng Kerberos 5 : 1.A little changing: Khng nh phin bn trc l Kerberos 4 , Kerberos 5 s dng ASN.1 (Abstract Syntax Notation One) . N nh ngha mt phng php m t cc nh ngha giao thc trong mt k hiu tru tng , v sau cung cp mt s phng php chuyn i cc nh ngha tru tng vo mt dng ca byte truyn trn mt mng li truyn thng. Mt s giao thc s dng ASN.1 xc nh cc giao thc ca h nh Kerberos 5, SNMP v LDAP.V d trong Kerberos 5:
Realm ::= GeneralString PrincipalName ::= SEQUENCE { name-type[0] INTEGER, name-string[1] SEQUENCE OF GeneralString
Chc nng AS v TGS l vn gi nguyn trong Kerberos 5 nhng tn ca TGS thay i mt cht.Ngoi s thay i , Kerberos 5 cn loi tr s m ha i m xut hin trong AS v TGS ca KDC khi tr li(so vi Kerberos 4).S thay i ny khng lm gim i tnh an ton m ngc li cn ci thin hiu qu v hiu sut. 3.Multichoice for encryption: Kerberos 5 cung cp nhiu s la chn cho vic m ha nh DEC , triple DEC , AES ,.Chng ta c th la chn cch m ha ph hp cho tng qu trinh trao i .Nhng c 1 vn t ra l lm sao cc thnh phn trong h thng Kerberos hiu c nhau.i vi tng loi message sau m chng ta c cch ring m ha n: *Ticket: mi ticket ch c pht hnh v m ha t 1 server dch v no , v c gii m b ng key ca server.V vy ticket c th c m ha b ng phng php m ha an ton nht m server h tr. *Reply: l 1 message m KDC gi cho client v client phi gii m n b ng kha ca mnh.V vy ticket phi c m ha bng cc phng php m client h tr 15 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1
*Session key: session key c chia s gia client v sever ng dng, nn session key phi c m ha bng phng php m c client v server u h tr. H thng Kerberos (user , server ng dng v KDC) phi h tr t nht 1 phng php m ha ging nhau c th giao tip c . Khi 1 principal c to trn KDC th n t lu cho mnh 1 bn copy ca tt c cc key m ha t cc phng thc m ha m n h tr.V vy KDC c th p ng nhanh c. 4.Ticket option: Kerberos 5 bao gm nhng c tnh tin tin m cho php user c nhiu quyn iu khin hn thng qua Kerberos v ca h : *Forwardable tickets: (thng l TGT ,c dng kh ph bin) khi c TKT_FLG_FORWARDABLE c bt ln 1 ticket di s cho php ca admin th user c th dng ticket ny yu cu 1 ticket mi nhng phi khc a ch IP. Ni cch khc, user c th dng giy y nhim ca mnh to 1 giy y nhim c gi tr cho my khc. Ngay sau khi user chng thc xong vi AS,user c th yu cu 1 TGT mi trc khi s dng phn mm Kerberos. c s dng nhiu trong chng trnh remote login nh telnet , rlogin , rsh *Renewable tickets: trong Kerberos th lifetime ca 1 ticket thng la ngn hn ch vic nh cp v ca hacker,nhng nh vy l kh bt tin vi user dng di lu.T thc t Kerberos 5 h tr Renewable tickets. Renewable tickets cng c hn dng nh v thng nhng user c th gia hn lu hn v thng . Khi user ang s hu 1 ticket cn hn th c th gi 1 yu cu n KDC xin 1 Renewable tickets vi 1 hn s dng mi.Nu mi tha hip u n th KDC s xc nhn v v tr v 1 v mi.Qu trnh xy ra nh th cho n lc v ht hn Li ch :- kh ly cp v v hacker khi cm 1 v ht hn cng chng lm c g. Sau khi user dng xong v renew th user c th thng bo cho KDC bit mnh khng cn dng na,KDC s t chi mi yu cu renew v. *Postdated tickets: Khi chng ta c 1 k hoch cho tng lai v cn dng n h thng chng thc ca Kerberos th chng ta s s dng 1 la chn mi ca Kerberos 5 l Postdated tickets. Postdated tickets ch c gi tr ti bt u t 1 thi im trong tng lai.Nu user dng n trc s b KDC t chi.N khng c dng ph bin lm. 5.Kerberos 5-to-4 translation: cung cp kh nng tng thch vi dch v ca Kerberos 4, Kerberos 5 pht hnh dch v Kerberos 5-to-4 translation(krb524). Dch v ny cung cp mt cch thc client ca Kerberos 5 c th giao tip vi cc dch v ca Kerberos 4. N khng cung cp mt cch client ca Kerberos 4 giao tip vi dch v hoc KDC ca Kerberos 5 . 16 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1 Khi mt client ca Kerberos 5 mun dng dch v m n ch hiu v ca Kerberos 4 th th vin ca Kerberos lien lc vi thit b chy krb524 daemon cung cp giy y nhim ph hp vi Kerberos 4.Khi krb524 daemon nhn c yu cu ca client ,n s gii m service ticket vi service key, sau gii nn session key bn trong v to 1 service ticket mi ca Kerberos 4 vi session key va c c. Ch : session key trong Kerberos 5 nht thit c m ha bi single DES.Bi v krb524 daemon ch sao chp key v ng gi li, v Kerberos 4 ch hiu c single DES My chy krb524 daemon khng nht thit phi nm trn KDC.V d trong windown domain controller khng h tr krb524 daemon nn mu n s dng n ta phi ci t 1 my chy krb524 daemon ring. 6. Pre-Authentication: lm kh khn thm kh nng tn cng bng offline dictionary v bruceforce Kerberos 5 ci t Pre-Authentication. Pre-Authentication yu cu nhng ngi yu cu chng minh danh tnh ca h trc khi KDC cp ticket cho 1 principal ring bit. C nhiu cch thc hin Pre-Authentication nhng m ha timestamp l cch ph bin nht. Ty theo chnh sch ca KDC m h thng c chy Pre-Authentication hay khng. KDC yu cu Pre-Authentication ,nu client mun c ticket m khng thng qua Pre-Authentication th KDC s gi thng bo li KRB_ERROR thay v gi AS_REP n client.Client s to ra d liu cn thit cho qu trinh Pre-Authentication ca mnh, sau gi lai AS_REQ nh km vi phn d liu va c to ra .Nu KDC chp nhn th KDC gi li AS_REP km theo ticket.Nu khng , KDC gi li KRB_ERROR v client khng nhn c ticket. 7. String-to-Key Transformation: Chc nng l chuyn i chui k t password dng plaintext thnh cyphertext.iu khc so vi Kerberos 4 l Kerberos 5 h tr bt k thut ton no vi kch thc key l b t k.Ngoi ra trc khi m ha , Kerberos 5 cn thm vo 1 thnh phn gi l salt vo password ca user,lm cho n tng thm sc khng vi bruce-force.Salt th ty theo KDC chn nhng thng la tn ca principal. 8. Password Changing: Trc y phin bn 4 th ngi ta dng administrative protocol cho vic thay i password nhng n li gy ra phin toi khi gia cc thit b xi administrative protocol khc nhau. Mt tiu chu n cho cc giao thc Kerberos 5 thay i mt khu c xut nh l mt d tho Internet trong nm 1998, c giao thc thay i mt khu Horowitz. Cc phin b n mi ca MIT (1,2 tr ln) v Heimdal Kerberos, cng nh Windows 2000 v nm 2003(da Active Directory) u h tr giao thc thay i mt khu Horowitz . Sau ny 1 d tho mi thay th giao thc thay i mt khu Horowitz. l Kerberos Set/Change Password Version 2.Protocol ny cung cp kh nng cho cc qun tr vin t li mt khu ngi dng khc, cng nh cho php ngi dng thay i mt khu ca chnh h.Thm vo , n cho php gi li nhng thng tin chi tit hn cho client khi 1 mt khu b t chi.
17 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1
VIII. Securiry
iu quan trng l nhn ra rng Kerberos thc hin trn mng ca bn khng m bo an ninh hon ho. Trong khi Kerberos l rt an ton trong mt thc l thuyt, c rt nhiu vn an ninh thc t c xem xt. Ngo i ra, iu quan trng l hy nh rng Kerberos ch cung cp mt d ch v chng thc; n khng ngn cn tha hip gy ra do li phn mm my ch, qun tr vin cp giy php cho ngi s dng tri php, hoc cc mt khu km chn. C nhiu nh gi Kerberos l an ton nht c th, tuy nhin, vn cn nhng vn an ninh cn ch . 1. Kerberos Attacks Tht khng th d dng hacker c th tn cng h thng Kerberos KDC. Nhng, c mt s cuc tn cng in t c th tha hip s bo mt ca h thng Kerberos ca bn. Lit k di y l kch bn tha hip tim nng, v hiu qu v tnh an to n ca h thng Kerberos. Root compromise of a Kerberos KDC machine. Mt tha hip gc ca 1 my ch KDC cho php k tn cng ton quyn kim sot to n b h thng xc thc Kerberos. Mc d cc c s d liu kerberos c m ha trn cng vi kha kerberos master, kha master c gi trn cng KDC v th khng c bt k s can thip bng tay no c yu cu (nhp password master) khi server KDC b t u. Compromise of a Kerberos administrator's credentials: N u 1 hacker ly c mt khu ca ngi qun tr, hacker c th ho n thnh tn cng trn ton b database kerberos. Root compromise of a server machine: giao thc Kerberos lm vic, 1 dch v phi c truy cp n 1 dch v chnh. Cc dich v chnh nm trn h thng tp tin ca my ch, hoc nm trn 1 keytab c thc thi bi Unix, hoc LSA b mt trong nhng s thi hnh Microsoft. Nu mt k tn cng ly c quyn truy cp vo mt my ch, tt c cc dch v Kerberized ang chy trn my b tn hi. Root compromise of a client machine. Mt tha hip gc ca mt my client s cung cp cho k tn cng vi tt c cc v c lu trn my . Khi cc v c gii hn thi gian, n khng phi l mt tha hip quan trng nh mt k tn cng ly mt khu ca ngi dng. Tuy nhin, vi s truy cp gc n my client, nhng k tn cng b mt c th ci t mt sniffer nm bt mt mt khu ngi dng khi ng nhp vo my tnh ca h. Compromise of user credentials. C 2 kh nng trong kch bn ny: hoc b nh lu v ngi dng b l, hoc mt khu ca ngi dng b tha hip. Nu hacker ly c b nh cc v cha c m ha, cc v cha trong b nh cache m ch c hiu lc trong khong thi gian quy nh trong v. Mt khc, nu k tn cng s dng li mt khu ca ngi dng, nhng k tn cng c th mo danh ngi dng cho n khi ngi dng thay i mt khu ca mnh. T danh sch trn, thc t l mt trong nhng nn tng rng tt c nhng kch bn c tm quan trng trong vic gi tt c cc my trong mng ca bn an ton. Ci t Kerberos trn mng ca bn khng lm gim tm quan trng ca vic gi tt c cc my mc, my tnh ngi dng an ton t tn cng b n
18 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1 ngoi. Nhng tha hip ca bt k 1 my no trong mng s c mt s hiu ng bt li v bo mt ca h thng xc thc Kerberos ca bn. 2. Other Attacks: Denial of service The "insider" Social engineering and password exposure Security holes in the Kerberos software itself 3.Vn giao thc bo mt Dictionary and Brute-Force Attacks Trong giao thc Kerberos 4 bn gc, cc KDC to mt TGT c m ha cho khch hng no c yu cu n. TGT c m ha vi kha b mt ca ngi dng. An ninh ca to n b h thng ph thuc vo vic khng th gii m thng ip ny, v nu mt k tn cng c th ly cha kha c s dng m ha cc tin nhn, gi y anh mt khu ca ngi dng v c th mo danh ngi dng theo thch. Do , nu mt k tn cng mun c c mt khu ca ngi d ng, n c th yu cu cc KDC cho mt TGT hp l vi tn ngi dng nn nhn. Trong khi khng c cch ph v nhng phng php m ha c s dng trong Kerberos v trc tip, nhng k tn cng sau c th tip tc brute-force gii m ca TGT bng cch tung ra mt cuc tn cng t in ngoi tuyn. Trong mt cuc tn cng t in, k tn cng c mt ngun cp d liu l danh sch cc mt khu thng c s dng, hoc mt t in, vi mt chng trnh b . i vi mi mc trong t in, mt chng trnh c gng gii m thng ip bng cch s dng mt khu. Nu t c thc hin, chng trnh bo co li cho k tn cng ca ngi s dng mt khu. Khi chuyn i t mt khu ca ngi d ng sang kha mt m c bit n, n l tm thng cho mt k tn cng xy dng mt chng trnh m c th dch cc mt khu thng thnh nhng kho mt m Kerberos. Sau , k tn cng thu thp mt s lng ln TGTs hp l t cc KDC v tip tc cng vic b cc TGTs off-line; vi tng c gng gii m, anh ta khng c lin h vi cc KDC. Thay vo , mt khi cc TGTs c yu cu t cc KDC, khng giao tip hn na l cn thit tn cng cc mt khu. Cc m ha c s dng trong Kerberos v4, cng nh loi m ha ph bin nht trong Kerberos v5, l DES. Single DES, thit k vo cui nhng nm 1970, c chiu di 56-bit. Khi Kerberos c thit k (trong cui nhng nm 1980), brute-forcing mt kha 56-bit khng thc hin c bi tc ca cc b vi x l c sn. Theo tiu chun hin nay, vi 56-bit, khng gian chnh ca DES c xem l tng i khng an ton. Nm 1998, Electronic Frontier Foundation chng minh rng vi vn u t $ 200.000, mt k tn cng c th xc dng mt " DES cracker" m c th brute-force kho mt m t mt tin nhn DES trong vng mt 1 ngy. Vi b x l hin nay (nm 2002), thi gian gii m mt thng ip c m ha bng cch s dng DES trong phm vi mt vi gi. Rt may, trong Kerberos v5, mt s tnh nng giao thc mi c gii thiu gim thiu nguy c ny. u tin l h tr loi m ha m rng, cho php i vi vic b sung cc k thut m ha mnh hn. Ngoi ra, giai on tin xc thc c b sung, cc client phi chng thc danh tnh trc khi KDC cung cp v cho client. Tin xc thc hn ch c 19 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1 cc vn ca tn cng offline brute-force, hay tn cng t in. Thay vo , 1 hacker t xa phi lin lc vi KDC mi khi hacker c gng tm 1 mt khu mi. Tuy nhin, cc phng php m ha mi trong Ker v5 v c tnh tin xc thc khng ho n ton chng li c tn cng t in hay brute-force. Cc phng php m ha mi chc chn s khin cho cc tn cng bruteforce t kh thi bng cch gia tng s kh khn ca brute-forcing tin nhn m ha. Tuy nhin, tt c cc my ch, client, v KDCs trn mng phi h tr loi m ha mi. Nu, v d, bn c nhiu client v trin khai my ch Kerberos khc nhau c ci t trn mng ca bn (v d, mt b my ch ca MIT Kerberos cng vi mt s client ca Windows), bn ch c th s dng mt loi m ha thng thng c h tr bi tt c cc my trong mng ca bn . MIT h tr triple DES, nhng Windows khng, truyn thng gia Windows v MIT Kerberos s b gii hn li DES. Vic pht hnh phin b n 1,3 sp ti ca MIT Kerberos 5 s h tr cc thut ton m ha RC4 c s dng bi Windows, v do tng cng m ha c s dng cho truyn thng gia hai thc thi. Vi giao thc tin xc thc, hacker khng cn nhiu kh nng. v c m ha theo yu cu t cc KDC. Tuy nhin, k tn cng c th s dng mt mng li "sniffer" c c KDC responses khi chng c gi n client. Nhng responses s bao gm v c m ha vi kha ngi dng. Trong khi cc cuc tn cng tr nn kh khn hn do vic tng cng bo mt, th l 1 vn tim nng. Ngoi ra, hu ht s thc thi Kerberos u khng bt buc s dng tin xc thc l mc nh, ph nh kh nng bo mt ca tin xc thc. Replay Attacks V tt c cc giao thc trao i l cc tin nhn c gi qua mt mng my tnh, k tn cng c th lng nghe cc tin nhn mt mng li trao i xc thc thnh cng, to mt bn sao ca tin nhn, v pht li chng ln sau. Nhng k tn cng khng cn phi on mt khu ca ngi dng hoc gii m thng ip no trong tn cng ny. K t khi cuc tn cng replay yu cu truy cp nghe tt c cc tin nhn trong mng cng nh kh nng gi tin nhn gi, mt cuc tn cng replay l mt cuc tn cng ch ng. Chng ti thy rng Alice thnh cng ly c v xc thc ti my ch th ca c. Bob, k tn cng, b mt nghe tt c lu lng mng gia Alice, my ch th, v KDC Kerberos. Bob khng th trc tip s dng TGT m Alice yu cu bc trc, TGT phi c gii m vi mt khu ca Alice, Bob khng bit mt khu . Tuy nhin, khi Alice gi v c m ha ca mnh v nhn thc, Bob c th chn th v pht li n mo danh Alice n my ch th. V ny c m ha vi kha my ch th, v nhn thc c m ha vi kha phin chia s gia Alice v my ch th. Khi my ch th nhn v v nhn thc, n gii m v b ng kha ca mnh, ly kha t phin giao v, v s dng kha phin gii m nhn thc. Nu tt c vic gii m thnh cng, th xc thc thnh cng. Kerberos c thit lp bo v chng li tn cng replay attacks. L qun tr, bn khng phi lo lng v s kch hot nhng s bo v ny; chng c thit lp trong s thc thi Kerberos m b n ang s dng. Nhng s bo v l:
20 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1 - Address field in tickets: khi 1 client yu cu v t KDC, n s lit k cc a ch mng c cc v hp l. V d, nu a ch IP ca my trm l 192.168.1.1, cc my trm s in a ch ny vo trong trng a ch v yu cu, v KDC s sao chp vo trong v v tr li cho my trm. s bo v ny gii quyt vn hacker c gng gi li v hp l trn mt my trm khng c lit k trong trng a ch ca v. Tuy nhin, bo v ny l khng ngn chn cc replay attacks; trng a ch c th c trng, v v s c gi tr cho tt c cc a ch. Hoc, nu k tn cng c quyn truy cp vo mt my c lit k trong trng a ch, n c th ng nhp v pht li cc v t . - Time-based authenticators: vic an ninh trn nn a ch l hon ho , Kerberos s dng mt n ngn chn replay attacks. Mi khi mt khch hng mun s dng mt dch v Kerberized, c to ra mt nhn thc, c gi cng vi v vo dch v xc thc. Nhn thc cha mt timestamp, c m ha vi kha phin to ra bi cc KDC cho vic thc hin trao i v. Khi dch v nhn c nhn thc, n s kim tra cc du thi gian vi ng h h thng ca mnh. Nu c s chnh lch 5 pht, cc dch v s t cp bn v v t chi xc thc ngi d ng. Khong thi gian 5 pht c thit k cho php 1 vi s bin i no gia s khc nhau gia cc ng h trong mng. Tuy nhin, 5 pht c th l nhiu hacker c th gi li cc v hp l, c bit l nu hacker s dng mt chng trnh t ng bt v pht li v. - Replay caches: cch cui cng ca s phng th m Kerberos chng li replay attack l Replay caches. C Kerberos v4 v v5 u bao gm cc giao thc da trn thi gian nhn thc. Kerberos v5 s dng b nh replay caches trnh k tn cng s dng li v trong kho ng thi gian ngn m nhn thc cho l hp l. Mi dch v Kerberized duy tr mt b nh cache ca nhn thc m n va nhn c. Khi dch v nhn c nhn thc, n s kim tra b nh replay caches. Nu dch v tm thy mt bn sao ca nhn thc c trong b nh cache, n t chi yu cu. Nu khng, dch v chp nhn yu cu v b sung xc thc vo trong b nh replay caches cho cc yu cu hp l ln sau. Man-in-the-Middle Attacks Cui cng, man-in-the-middle nh hng n cc giao thc xc minh chng thc. Man-in-the-middle l cch tn cng ch ng, ngha l k tn cng phi c kh nng c tt c cc tin nhn trn mng cng nh gi i nhng thng ip ty ca mnh. Mc ch ca tn cng ny l mo danh my ch, kt qu l ngi dng ngh rng mnh kt ni vi my ch hp php, nhng thc t th ang ni chuyn vi k tn cng. Mt khi k tn cng c kim sot c phin, th c th d dng hnh ng (qua tin nhn gia ngi s dng v my ch hp php, m khng sa i), hoc c sa i, hoc xa thng ip gia ngi s dng v my ch. Nhng k tn cng l mt phn ca cuc m thoi gia ngi s dng v my ch hp php, v c th sa i bt k thng ip m i qua chng. Tin tt lnh l giao thc Kerberos c xy dng trong bo v chng li man-in-the-middle. M t khi Kerberos thc hin s chng thc
21 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1 ln nhau, bi xc thc khng ch xc minh ngi dng m cn xc minh my ch, man in the middle b cn tr. chng li tn cng ny, mt s c ch xc nhn kho mt m ca my ch phi tn ti. Nhng giao thc khc s dng s xc minh bng tay, hoc xc thc ch k. Kerberos s dng mt bn sao ca tt c cc kha cho c dch v v ngi dng c lu trn cc KDC m bo bo v chng li MITM attack. Kha phin to ra bi cc KDC v sau c gi n dch v c m ha vi kha ca dch v, k tn cng khng th phc hi phin lm vic m khng c kha b mt ca dch v. Mt my client sau c th pht hin xem my ch anh ta ni n l hp php bng cch yu cu xc thc ln nhau, ni m cc my ch phi chng minh danh tnh ca mnh bng cch khi phc cc kha phin, m ha mt responses, v gi n tr li cho client. Nu my ch khng phi l hp l, v khng c mt bn sao ca chnh dch v, v my ch khng th gi li tin nhn hp l c m ha, v client ngt kt ni. Trong khi Kerberos cung cp kh nng thc hin s chng thc ln nhau, nhng ng dng phi c m cho php s bo v . Ngoi ra, nhiu ng dng, chng hn nh cc m un PAM c sn xc thc vi mt khu Kerberos, khng s dng qu trnh xc thc da trn nn v. Thay vo , chng gi 1 mt khu trn mng (hy vng c mt m) v xc minh n bn my ch bng cch yu cu cc KDC cho mt TGT v sau gii m cc TGT. y l ni tn cng MITM c th c gn kt vi Kerberos. Trong trng hp ny, k tn cng mun t mnh gia my ch v KDC, v vy m hacker c th lm gi my ch ng dng. Cc KDC requests and responses l cc tin nhn UDP n gin, tht l d dng mt hacker a ra nhng thng bo gi mo m ng n t a ch IP thc s ca KDC. Nh vy, tn cng c thc hin thng qua cc th tc sau y: - Nhng k tn cng to mt mt khu s dng cho ti khon m chng mong mun c truy cp vo. - Nhng k tn cng sau thit lp mt chng trnh lng nghe cc yu cu trn mng, xem khi no client yu cu mt TGT cho ngi s dng A. Khi nhn c 1 TGT, chng trnh s gi TGTresponses tr li cho yu cu v c m ha vi password chn. - Sau , k tn cng truy nhp vo server, to username A v pass chn. Vo thi im , chng trnh s gi ti my ch TGT c m ha vi mt khu m nhng k tn cng chn thay v mt khu thc. - Nu my ch nhn c responses gi trc, n s gii m thnh cng TGT t mt khu ph hp. ngn chn cuc tn cng ny, my ch phi ly kha dch v my ch ca mnh t keytab, sau yu cu 1 kha dch v t KDC dng TGT ang tn ti i din cho ngi s dng. Ch my ch v KDC bit kha dch v my ch, mt k tn cng t bn ngoi khng th to mt thng ip gi mo v ti khon b t chi truy cp 4. Firewall, NAT v Kerberos
22 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1 V Kerberos da ch yu vo cc hot ng ng n ca DNS v cc giao thc bao gm a ch IP, tng la v NAT. Ph bin nht l thit lp m cc my client c t bn ngoi ca mt bc tng la cng ty, v cc KDCs v my ch ng dng nm b n trong
tng la. cc client bn ngoi c c v cho cc lnh vc Kerberos, mt s cng cn phi c m thng qua cc bc tng la n KDCs ca bn. Kerberos Network Ports Machine Local port (server) 88/udp 88/tcp 749/tcp 464/udp Remote port (client) Above 1024 Above 1024 Above 1024 Description
All KDCs All KDCs Master/Administrative KDC
Kerberos 5 ticket service
Kerberos 5 administration service (MIT and Heimdal) Kerberos 5 password changing service (older password-changing protocol)
Tht ra th ch duy nht 1 port cn m h thng Ker hot ng l port 88. Cc port khc c th c m cung cp cc dch v khc n client b n ngoi tng la Kerberos and NAT KDC v my ch ng dng pha sau tng la, vi cc client s dng NAT
23 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1
Network Address Translation, ho c NAT, cho php nhiu my tnh chia s mt a ch IP duy nht. Trong mt thit lp NAT, cc my client bn trong dch v NAT c s ring t, khng nh tuyn a ch IP. NAT cung cp 1 vn cho Kerberos v cc v yu cu u cha a ch IP ca ngi yu cu. V cc client yu cu v trong trng hp s dng NAT, nn cc a ch IP client cung cp n KDC s khng trong bng nh tuyn. V cc a ch ring t ca client khng ph hp vi a ch public ca NAT nn cc dch v Kerberized s khng cp bt k v no cho khch hng. V d: hnh trn Thit b NAT c public IP: 132.68.153.28 Mng ni b c gi tr IP trong RFC 1918 l 192.168.1.0 to 192.168.1.255 Mt client (s dng dch v NAT) c a ch IP l 192.168.1.2 yu cu 1 TGT n KDC b n trong h thng tng la. 1 v TGT c gi tr cho a ch IP client 192.168.1.2 khng ph hp vi a ch 132.168.153.28 ca NAT, nn yu cu ca client khng c thc hin. Vic s dng cc v khng c trng a ch ( h tr cho cc thit b NAT) s lm gim i tnh bo mt. K tn cng c th to mt bn sao lu b nh caches ticket v vic tn cng replay attack c th d dng hn. Auditing Windows domain controllers Mc d c 1 chc chn rng my tnh ca bn c an to n tn cng t bn ngoi, b n cng cn phi gim st nh k ho t ng ca KDC. Ty thu c vo nh cung cp KDC, s lng truy cp theo mc nh c th khc nhau t khng (cu hnh mc nh ca window 2000) n rt nhiu (MIT v Hiemdal) Vic ng nhp c thit lp trong s thc thi KDC khng ch vi mc ch gim st, m n cn ng vai tr g ri trong sut qu trnh hot ng ca h thng Kerberos. S ng nhp ca mt user vo my ch Windown Domain Controller trong Window server 2008: Domain: CUONG.NET Client name: admin S dng phn mm Kerbtray v Klist
24 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1
25 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1
IX. u nhc im ca giao thc
u im
Kerberos l mt giao thc mt m dng xc thc trong cc mng my tnh hot ng trn nhng ng truyn khng an to n, l giao thc mc nh trong cc h iu hnh Window, Mac OS, Unix.. c nh gi l giao thc an ton. Mt khu khng c truyn trc tip trn ng truyn mng, hn ch ti a cc tn cng. Giao thc c m ha theo cc chun m ha cao cp nh Triple DES, RC4, AES nn rt an ton. Theo c ch Single-Sign-on, ng nhp mt ln, hn ch vic tn c ng lm mt d liu V b nh cp rt kh ti s dng Thay v gi cc thng tin gc v mt khu trn mng, Kerberos s dng v m ha chng minh danh tnh ca c ngi s dng v my ch , h thng xc thc ngi dng v ngi d ng xc thc li server.
Nhc im
Ton b h thng lm vic da trn s an ton ca h thng KDC, nu h thng b tn cng th ton b cc thnh phn trong h thng b t lit, KDC l him ha chnh ca s tn cng. i hi cc my tnh trong h thng phi ng b v thi gian (khng chnh lch vi nhau qu 5 pht) Vi c ch ng nhp mt ln trn mt my tnh, nu my tnh ri vo tay attackers th ton b d liu ngi dng b nh cp, v gy nguy c cho ton b h thng.
X. Trust Relationship
Trust relationship l mt lin kt lun l c thit lp gia cc h thng domain, gip cho c ch chng thc gia cc h thng domain c th c tha hng ln nhau. Trust relationship gii quyt bi ton single sign-on logon chng thc mt ln duy nht cho tt c mi hot ng trn cc domain, dch v trin khai trn 1 domain c th c truy cp t user thuc domain khc. Trong mt trust relationship cn phi c 2 domain. Domain c tin tng gi l trusted domain, cn domain tin tng domain kia gi l trusting domain. C ch trust relationship gip m bo cc i tng (user, ng dng hay chng trnh) c to ra trn mt trusted domain c th c chng thc ng nhp hay truy cp ti nguyn, dch v trn trusting domain. Tuy nhin, trn h thng Windows h tr n 6 loi trust relationship vi cc c tnh v ng dng khc nhau. Bi ny s gip cc bn hiu hn v c tnh cng nh ng dng tng loi trin khai trn h thng cho hp l.
26 | G i a o t h c x c t h c K e r b e r o s
PTIT_D06THA1
Cc loi trust relationship Mt trust relationship trn Windows Server 2003 bao gm 3 c tnh sau: - Explicitly or Implicitly (tng minh hay ngm nh) - Transitive or Non-transitive (c tnh bc cu hay khng c tnh bc cu) - Trust direction (chiu ca lin kt) Cc loi trust relationship: c 6 loi - Tree/root trust - Parent/child trust - Shortcut trust - Realm trust - External trust - Forest trust cc users thuc domain ny c th truy cp tai nguyn trn cac my server thu c domain khc ( cc domain c trust relationship vi nhau) th xc thc cc users , cc h thng domain u phi dng giao thc xc thc Kerberos xc thc.
Ti liu tham kho: Kerberos: The Definitive Guide (Jason Garman/O'Reilly) http://www.amazon.co.uk/Kerberos-Definitive-Guide-JasonGarman/dp/0596004036/ref=sr_1_1/202-91732581666237?ie=UTF8&s=books&qid=1182273864&sr=8-1 MIT: Designing an Authentication System: A Dialogue in Four Scenes http://web.mit.edu/kerberos/www/dialogue.html Microsoft: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerb step.mspx
27 | G i a o t h c x c t h c K e r b e r o s
You might also like
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4 out of 5 stars4/5 (5819)
- The 7 Habits of Highly Effective PeopleFrom EverandThe 7 Habits of Highly Effective PeopleRating: 4 out of 5 stars4/5 (353)
- The 7 Habits of Highly Effective People Personal WorkbookFrom EverandThe 7 Habits of Highly Effective People Personal WorkbookRating: 4 out of 5 stars4/5 (2515)
- The Iliad: The Fitzgerald TranslationFrom EverandThe Iliad: The Fitzgerald TranslationRating: 4 out of 5 stars4/5 (5646)
- The Odyssey: (The Stephen Mitchell Translation)From EverandThe Odyssey: (The Stephen Mitchell Translation)Rating: 4 out of 5 stars4/5 (7770)
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4.5 out of 5 stars4.5/5 (20108)
- How to Win Friends and Influence People: Updated For the Next Generation of LeadersFrom EverandHow to Win Friends and Influence People: Updated For the Next Generation of LeadersRating: 4 out of 5 stars4/5 (2340)
- Pride and Prejudice: Bestsellers and famous BooksFrom EverandPride and Prejudice: Bestsellers and famous BooksRating: 4.5 out of 5 stars4.5/5 (20479)
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On ItRating: 4.5 out of 5 stars4.5/5 (3313)
- Wuthering Heights Complete Text with ExtrasFrom EverandWuthering Heights Complete Text with ExtrasRating: 4 out of 5 stars4/5 (9991)
- The Picture of Dorian Gray (The Original 1890 Uncensored Edition + The Expanded and Revised 1891 Edition)From EverandThe Picture of Dorian Gray (The Original 1890 Uncensored Edition + The Expanded and Revised 1891 Edition)Rating: 4 out of 5 stars4/5 (9054)
- Art of War: The Definitive Interpretation of Sun Tzu's Classic Book of StrategyFrom EverandArt of War: The Definitive Interpretation of Sun Tzu's Classic Book of StrategyRating: 4 out of 5 stars4/5 (3321)
- Anna Karenina: Bestsellers and famous BooksFrom EverandAnna Karenina: Bestsellers and famous BooksRating: 4 out of 5 stars4/5 (7503)
- Wuthering Heights (Seasons Edition -- Winter)From EverandWuthering Heights (Seasons Edition -- Winter)Rating: 4 out of 5 stars4/5 (9975)
- Habit 1 Be Proactive: The Habit of ChoiceFrom EverandHabit 1 Be Proactive: The Habit of ChoiceRating: 4 out of 5 stars4/5 (2559)
- American Gods: The Tenth Anniversary EditionFrom EverandAmerican Gods: The Tenth Anniversary EditionRating: 4 out of 5 stars4/5 (12956)
- Habit 3 Put First Things First: The Habit of Integrity and ExecutionFrom EverandHabit 3 Put First Things First: The Habit of Integrity and ExecutionRating: 4 out of 5 stars4/5 (2508)
- The Iliad: A New Translation by Caroline AlexanderFrom EverandThe Iliad: A New Translation by Caroline AlexanderRating: 4 out of 5 stars4/5 (5734)
- How To Win Friends And Influence PeopleFrom EverandHow To Win Friends And Influence PeopleRating: 4.5 out of 5 stars4.5/5 (6703)
- Habit 6 Synergize: The Habit of Creative CooperationFrom EverandHabit 6 Synergize: The Habit of Creative CooperationRating: 4 out of 5 stars4/5 (2499)
- The 7 Habits of Highly Effective PeopleFrom EverandThe 7 Habits of Highly Effective PeopleRating: 4 out of 5 stars4/5 (2572)
- The Picture of Dorian Gray: Classic Tales EditionFrom EverandThe Picture of Dorian Gray: Classic Tales EditionRating: 4 out of 5 stars4/5 (9765)
