DOCSLIB.ORG

Data Source Kerberos / Oauth on the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Data Source Kerberos / Oauth on the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On Welcome 1 8 B I - 11 3 Data Source Kerberos / oAuth On the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On John Kew Speaker Name (if needed) Manager / Connectivity Job Title Tableau Company / Org Name Explaining Kerberos Constrained Delegation with Protocol Transition And oAuth for Data Source Single Sign On Everyone dreams of SSO via anything but Kerberos Agenda Server settings SQL Server impersonation User filters and data source filters Run as user oAuth connections Enable Kerberos delegation User Filters and Data Source Filters Run as User Oauth (and SAML) Why Kerberos? Two-Factor Auth Trust Constrained Delegation Introducing Bagel DB Bageld—Bagel Database of the Future /* Bageld - A system for the organization, storage, and retrieval of Bagel information John V. Kew Assignment 2 CPEx317 w/ Dr. Nico Winter, 2002 This program sets up a decision tree for the organization of bagel information. The program will use a database file in the local directory called "bagels.db" - If this file does not exist, it will create it so that bagel information can be added. Files: bageld.c bageld.h string.c string.h Compilation: Use cmake Usage: ./bageld [bagel database] [optional: kerberos keytab] Without a database, the program will first ask you for a bagel type. Then begin filling the database with Caleb bagels, Monkey bagels, and Toast bagels. All answers are of "yes", "no", [Bagel Name], or a question about a bagel. */ Bageld—Bagel Database of the Future Bagels + Kerberos = Enterprise Single Hop Kerberos with Bagel DB Casting Call Narrator: John Kew Alice the Bagel Database: Jason Burns Microsoft Bob the Active Directory Server: <INSERT YOU> Eve the Bagel Database Client: <INSERT YOU> Single Hop Kerberos: The Setup Narrator: A bagel shop. Alice the Bagel Database is happily responding to requests from customers about all the different types of bagels. But Alice doesn’t just trust anyone… Microsoft Bob ( to Alice): You have your service key right? Without it I can’t vouch for anyone wanting to access your bagel database. Alice: Yeah; totally, my Domain Administrator set me up for Kerberos Authentication. I’ll trust the people you trust. (Eve walks into the bagel shop) Review: Who Knows What? Client (Eve) knows her password (Often in keytab) Database Service (Alice) knows her password (Often in keytab) Active Directory / KDC knows everything (Often in LDAP) Authentication Service: Getting a Ticket Granting Ticket (TGT) Eve: Hey Bob; you know me right? Here’s my username Authentication Service: Getting a Ticket Granting Ticket (TGT) Microsoft Bob: Yeah; the username is legit; here’s a secret message containing a special decoder ring that only you can use. We will use that as our shared decoder ring for future messages. Keep that around, at least for 24 hours. That little key is as good as my word; but if you are who you say you are only you should be able to read this. Authentication Service: Getting a Ticket Granting Ticket (TGT) Authentication Service Login (Client Side) jaas.conf direct.SingleHopBageldClient { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true }; Login.scala ////////////////////////////////////////////////////////////////////////////////// // Authenticate against the KDC using JAAS. def login(username: String, password: String) = { val loginCtx: LoginContext = new LoginContext(configName, new LoginCallbackHandler(username, password)) loginCtx.login() this.subject = loginCtx.getSubject() } Authentication Service Login (Client Side) Requesting a Service Ticket: Getting a Service Ticket Eve: Thanks Bob; you know I was thinking of starting a transaction with Alice the Bagel Database; you think you could give me a service ticket which I can use to start a transaction? Here is that request encrypted with our cool little decoder ring. Requesting a Service Ticket: Getting a Service Ticket Microsoft Bob: Sure thing; but this ticket is encrypted with Alice’s secret decoder ring. She’s the only one who can read it. Now leave me alone, it’s patch Tuesday and I need some TLC. Requesting a Service Ticket: Getting a Service Ticket Requesting a Service Ticket (Client Side) KerberosClient.scala //////////////////////////////////////////////////////////////////////////////////////////////// // Configure our request for the service TGT println("initializing security context " + subject + " for service " + servicePrincipalName) val gssServerName: GSSName = manager.createName(servicePrincipalName, KRB5_PRINCIPAL_NAME_OID) val context:GSSContext = manager.createContext(gssServerName, KRB5_NAME_OID, null, GSSContext.DEFAULT_LIFETIME) val token: Array[Byte] = new Array[Byte](0) // This is a one pass context initialisation. context.requestMutualAuth(false) context.requestCredDeleg(true) context.requestAnonymity(false) //////////////////////////////////////////////////////////////////////////////////////////////// // Initialize the security context; this is the part that actually // gets the service session setup from the TGS val ticket = context.initSecContext(token, 0, token.length) Wireshark: Authenticating to the Database Eve (to Alice): Hello Bagel Database. Alice: I don’t talk to anyone about bagels unless they have a kerberos ticket. Wireshark: Authenticating to the Database Eve (to Alice): Here’s my kerberos ticket that I got from our friend, Bob. I encoded it in Base64; because I know that’s how you like it. Wireshark: Authenticating to the Database Alice (inspecting and decoding the service ticket): Good news; you are not an intruder! Wireshark: Authenticating to the Database Accepting a Service Ticket (Database Side) bageld.c // Convert from base64 to bytes size_t ticketLength; unsigned char *ticket = base64_decode(input, inputLength, &ticketLength); printf("KERBEROS: B64Decoded %u [%s]\n", (unsigned int) ticketLength, ticket); gss_buffer_desc gbuf; gbuf.length = ticketLength; gbuf.value = ticket; gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; maj_stat = gss_accept_sec_context(&min_stat, &ctx, GSS_C_NO_CREDENTIAL, &gbuf,GSS_C_NO_CHANNEL_BINDINGS,&name, NULL, &outbuf, &gflags, NULL, NULL); free(ticket); switch (maj_stat) { case GSS_S_COMPLETE: authorized = 1; gss_buffer_desc dsp_name; dsp_name.length = 0; dsp_name.value = NULL; gss_display_name( &min_stat, name, &dsp_name, GSS_C_NO_OID ); printf("KERBEROS: accepting GSS security context for: %s\n", (char *)(dsp_name.value)); break; Review: Tickets and Keys Exchanged Session key: Used to securely exchange messages between a client and active directory Ticket granting ticket (TGT): Contains the session key to the client from active directory Service ticket (TGS): Contains the session key for communication between the client and a service (database). This can only be decrypted by the service Constrained Delegation with Protocol Transition Constrained Delegation with Protocol Transition Eve: So here’s the problem Bob. I can talk to Alice no problem, but my friend Fred is allergic to garlic and cannot set foot inside that bagel shop. Is there a way for me to ask Alice some questions but make her think she is talking to Fred? Bob: Sure. This is called Kerberos Constrained Delegation. You probably also want protocol transition because Fred cannot just forward his credentials into the Bagel shop. You need to file a service ticket with my domain administrator to set this up. Constrained Delegation with Protocol Transition Constrained Delegation: “Trust this user for delegation to specified services only” Protocol Transition: “Use any authentication protocol" Service for User to Self: S4U2Self Eve: Bob? Can I get a service ticket for myself for Fred? I need to be able to make requests for other services, as if I were Fred. Service for User to Self: S4U2Self Bob: Ahh this is called an Service for User to Self (S4U2Self) call. Yup. Here you go. Service for User to Proxy: S4U2Proxy Eve: Thanks. Ok. Now that I can make requests using this service ticket, can I have a service ticket for Alice on behalf of Fred? Service for User to Proxy: S4U2Proxy Bob: Sure. This is an Service for User to Proxy (S4U2Proxy) call. Yup yup yup. Here you go… Connecting to the Database Normally Eve: Cool. Now I can talk to Alice normally, and Alice will think I’m Fred. Impersonation (Client Side) KerberosClient.scala // Impersonation val gssImpersonateName: GSSName = manager.createName(impersonateName, GSSName.NT_USER_NAME, KRB5_NAME_OID) val self:ExtendedGSSCredential = manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, KRB5_NAME_OID, GSSCredential.INITIATE_ONLY).asInstanceOf[ExtendedGSSCredential] println("######### IMPERSONATING: " + gssImpersonateName) self.impersonate(gssImpersonateName).asInstanceOf[ExtendedGSSCredential] Review: Constrained Delegation w/ Protocol Transition Constrained Delegation: Ability to delegate communication to a service to an intermediate entity (Eve, or Tableau Server) Protocol Transition: Ability to initiate impersonation of a user using a Service For User To Self (S4U2Self) call and an Service For User to Proxy (S4U2Proxy) call without the original user’s password being used to retrieve a Ticket Granting Ticket Service Ticket (TGS): Contains the session key for communication between the Client and a Service (Database). This can only be decrypted by the Service Data Source oAuth Tableau Data Source oAuth Implementations Legacy oAuth WDC oAuth GALOP oAuth Next* oAuth oAuth Limitations Designed for Web Applications Requires an Accessible Callback Intermediary Tableau Data Source oAuth Implementations 18BI-113 Thank you! Contact or CTA info goes here RELATED SESSIONS Connecting to Datasources for Tableau Server on Linux Thursday, October 12 | 12:00pm–1:00pm | South—L3—Palm A Safeguard Your Data: Row Level Security Thursday, October 12 | 10:30am–11:30am | South—L2—Mandalay Bay G Help us plan the future https://www.surveymonkey.com/r/tableaudatasurvey Please complete the session survey from the Session Details screen in your TC18 app .
Load more

Recommended publications
  • Raw Slides (Pdf)
    2550 Intro to cybersecurity L5: Distributed Authentication abhi shelat/Ran Cohen Agenda • The problem of distributed authentication • The Needham-Schroeder protocol • Kerberos protocol • Oauth So far: authenticating to a server Mallory Alice Bob Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Authenticating to an organization Mallory Alice Gen pw pw Distributed authentication • Organizations have many entities (users/services) • Secure communication over insecure channels • Password-based authentication • Passwords are never transmitted (except for the setup phase) • Enable mutual authentication Basic tool: symmetric encryption Alice Bob 푚 푚 Eve Basic tool: symmetric encryption • Gen: generates secret key 푘 • Enc: given 푘 and 푚 output a ciphertext 푐 Denote 퐸푛푐푘 푚 , 퐸푘 푚 , 푚 푘 • Dec: given 푘 and 푐 output a message 푚 • Security (informal): Whatever Eve can learn on 푚 given 푐 can be learned without 푐 • Examples: – DES (Data Encryption Standard) – AES (Advanced Encryption Standard) 푚 Authentication from Encryption • Alice and Bob share a key • They communicate over an insecure channel • Alice wants to prove her identity to Bob • Eve’s goal: impersonate Alice Alice Bob 푘퐴퐵 푘퐴퐵 Eve Attempt #1 Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 I am Alice Eve Attempt #2: use the key Alice Bob I am Alice 푘퐴퐵 푘퐴퐵 푘퐴퐵 I am Alice 푘퐴퐵 Replay attack Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 − 1 푘퐴퐵 푘퐴퐵 푘퐴퐵 푘퐴퐵 Nonce: a random number for a one-time use Eve Attempt #3: use nonce Alice I am Alice Bob 푁푎 푘퐴퐵 Pay Eve 500$ 푁푎 −
    [Show full text]
  • The Essential Oauth Primer: Understanding Oauth for Securing Cloud Apis
    THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS WHITE PAPER TABLE OF CONTENTS 03 EXECUTIVE OVERVIEW 03 MOTIVATING USE CASE: TRIPIT 05 TERMINOLOGY 06 INTRODUCTION 07 THE OAUTH 2.0 MODEL 07 OAUTH 2.0 OVERVIEW USING A TOKEN TOKEN TYPE 09 RELATIONSHIP TO OTHER STANDARDS 11 USE CASES TRIPIT REVISITED TOKEN EXCHANGE MOBILE WORKFORCE 13 RECENT DEVELOPMENT 14 SUMMARY 2 WHITE PAPER ESSENTIAL OAUTH PRIMER EXECUTIVE OVERVIEW A key technical underpinning of the cloud and the Internet of Things are Application Programming Interfaces (APIs). APIs provide consistent methods for outside entities such as web services, clients and desktop applications to interface with services in the cloud. More and more, cloud data will move through APIs, but the security and scalability of APIs are currently threatened by a problem call the password anti-pattern. This is the need for API clients to collect and replay the password for a user at an API in order to access information on behalf of that user via that API. OAuth 2.0 defeats the password anti-pattern, creating a consistent, flexible identity and policy architecture for web applications, web services, devices and desktop clients attempting to communicate with cloud APIs. MOTIVATING USE CASE: TRIPIT Like many applications today, TripIt (http://tripit.com) is a cloud-based service. It’s a travel planning application that allows its users to track things like flights, car rentals, and hotel stays. Users email their travel itineraries to TripIt, which then builds a coordinated view of the users’ upcoming trips (as well as those of their TripIt friends—the inevitable social aspect).
    [Show full text]
  • Pluggable Authentication Modules
    Who this book is written for This book is for experienced system administrators and developers working with multiple Linux/UNIX servers or with both UNIX and Pluggable Authentication Windows servers. It assumes a good level of admin knowledge, and that developers are competent in C development on UNIX-based systems. Pluggable Authentication Modules PAM (Pluggable Authentication Modules) is a modular and flexible authentication management layer that sits between Linux applications and the native underlying authentication system. The PAM framework is widely used by most Linux distributions for authentication purposes. Modules Originating from Solaris 2.6 ten years ago, PAM is used today by most proprietary and free UNIX operating systems including GNU/Linux, FreeBSD, and Solaris, following both the design concept and the practical details. PAM is thus a unifying technology for authentication mechanisms in UNIX. This book provides a practical approach to UNIX/Linux authentication. The design principles are thoroughly explained, then illustrated through the examination of popular modules. It is intended as a one-stop introduction and reference to PAM. What you will learn from this book From Technologies to Solutions • Install, compile, and configure Linux-PAM on your system • Download and compile third-party modules • Understand the PAM framework and how it works • Learn to work with PAM’s management groups and control fl ags • Test and debug your PAM confi guration Pluggable Authentication Modules • Install and configure the pamtester utility
    [Show full text]
  • Kerberos: an Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts’O
    Kerberos: An Authentication Service for Computer Networks by Clifford Neuman and Theodore Ts’o Presented by: Smitha Sundareswaran Chi Tsong Su Introduction z Kerberos: An authentication protocol based on cryptography z Designed at MIT under project Athena z Variation of Needham Schroeder protocol - Difference: Kerberos assumes all systems on the network to be synchronized z Similar function as its mythological namesake: “guards” the access to network protocols Contribution z Defines ideas of authentication, Integrity, confidentiality and Authorization z Working of Kerberos z Limitations z Utilities z How to obtain and use Kerberos z Other methods to improve security Why Kerberos? z Foils threats due to eavesdropping z More convenient than password based authentication { Allows user to avoid “authentication by assertion” z Authentication based on cryptography: attacker can’t impersonate a valid user How Kerberos Works z Distributed authentication service using a series of encrypted messages {Password doesn’t pass through the network z Timestamps to reduce the number of messages needed for authentication z “Ticket granting Service” for subsequent authentication Kerberos Authentication and Encryption zAuthentication proves that a client is running on behalf of a particular user zUses encryption key for authentication {Encryption key = Password zEncryption implemented using DES {Checksum included in message checksum and encryption provide integrity & confidentiality The Kerberos Ticket z Initially, client and Server don’t share an encryption
    [Show full text]
  • Feature Description
    NTLM Feature Description UPDATED: 19 March 2021 NTLM Copyright Notices Copyright © 2002-2021 Kemp Technologies, Inc. All rights reserved. Kemp Technologies and the Kemp Technologies logo are registered trademarks of Kemp Technologies, Inc. Kemp Technologies, Inc. reserves all ownership rights for the LoadMaster and Kemp 360 product line including software and documentation. Used, under license, U.S. Patent Nos. 6,473,802, 6,374,300, 8,392,563, 8,103,770, 7,831,712, 7,606,912, 7,346,695, 7,287,084 and 6,970,933 kemp.ax 2 Copyright 2002-2021, Kemp Technologies, All Rights Reserved NTLM Table of Contents 1 Introduction 4 1.1 Document Purpose 6 1.2 Intended Audience 6 1.3 Related Firmware Version 6 2 Configure NTLM Authentication 7 2.1 Configure Internet Options on the Client Machine 7 2.2 Configure the LoadMaster 11 2.2.1 Enable NTLM Proxy Mode 13 2.2.2 Configure the Server Side SSO Domain 13 2.2.3 Configure the Client Side SSO Domain 15 2.2.4 Configure the Virtual Service 15 2.3 Configure Firefox to Allow NTLM (if needed) 17 2.4 Troubleshooting 18 References 19 Last Updated Date 20 kemp.ax 3 Copyright 2002-2021, Kemp Technologies, All Rights Reserved NTLM 1 Introduction 1 Introduction NT LAN Manager (NTLM) is a Windows Challenge/Response authentication protocol that is often used on networks that include systems running the Windows operating system and Active Directory. Kerberos authentication adds greater security than NTLM systems on a network and provides Windows-based systems with an integrated single sign-on (SSO) mechanism.
    [Show full text]
  • OK: Oauth 2.0 Interface for the Kerberos V5 Authentication Protocol
    OK: OAuth 2.0 interface for the Kerberos V5 Authentication Protocol James Max Kanter Bennett Cyphers Bruno Faviero John Peebles [email protected] [email protected] [email protected] [email protected] 1. Problem Kerberos is a powerful, convenient framework for user authentication and authorization. Within MIT, Kerberos is used with many online institute services to verify users as part of Project Athena. However, it can be difficult for developers unfamiliar with Kerberos development to take advantage of its resources for use in third-party apps. OAuth 2.0 is an open source protocol used across the web for secure delegated access to resources on a server. Designed to be developer-friendly, OAuth is the de facto standard for authenticating users across sites, and is used by services including Google, Facebook, and Twitter. Our goal with OK Server is to provide an easy way for developers to access third-party services using Kerberos via OAuth. The benefits of this are twofold: developers can rely on an external service for user identification and verification, and users only have to trust a single centralized server with their credentials. Additionally, developers can request access to a subset of Kerberos services on behalf of a user. 2. Implementation overview Our system is composed of two main components: a server (the Kerberos client) to retrieve and process tickets from the MIT KDC, and an OAuth interface (the OAuth server) to interact with a client app (the app) wishing to make use of Kerberos authentication. When using our system, a client application uses the OAuth protocol to get Kerberos service tickets for a particular user.
    [Show full text]
  • Chapter 15-70-411FINAL[1]
    Lesson 15: Configuring Service Authentication MOAC 70-411: Administering Windows Server 2012 Overview • Exam Objective 5.1: Configure Service Authentication • Configuring Service Authentication • Managing Service Accounts © 2013 John Wiley & Sons, Inc. 2 Configuring Service Authentication Lesson 15: Configuring Service Authentication © 2013 John Wiley & Sons, Inc. 3 Authentication • Authentication is the act of confirming the identity of a user or system and is an essential part used in authorization when the user or system tries to access a server or network resource. • Two types of authentication that Windows supports are NT LAN Manager (NTLM) and Kerberos. • Kerberos is the default authentication protocol for domain computers. • NTLM is the default authentication protocol for Windows NT, standalone computers that are not part of a domain, and situations in which you authenticate to a server using an IP address. © 2013 John Wiley & Sons, Inc. 4 Understanding NTLM Authentication • NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. • NTLM is an integrated single sign-on mechanism. • NTLM uses a challenge-response mechanism for authentication in which clients are able to prove their identities without sending a password to the server. © 2013 John Wiley & Sons, Inc. 5 Managing Kerberos Kerberos: • Is a computer network authentication protocol, which allows hosts to prove their identity over a non-secure network in a secure manner. • Can provide mutual authentication
    [Show full text]
  • Security and Performance of Single Sign-On Based on One-Time Pad Algorithm
    cryptography Article Security and Performance of Single Sign-On Based on One-Time Pad Algorithm Maki Kihara *,†,‡ and Satoshi Iriyama ‡ Department of Information Science, Tokyo University of Science, Yamazaki 2641, Noda, Chiba 278-8510, Japan; [email protected] * Correspondence: [email protected] † Research Fellow of Japan Society for the Promotion of Science. ‡ These authors contributed equally to this work. Received: 13 April 2020; Accepted: 9 June 2020; Published: 12 June 2020 Abstract: Single sign-on (SSO) techniques allow access control for multiple systems with a single login. The aim of our study is to construct an authentication algorithm that provides the authentication information of a user to a requester without requiring any specific token, thereby achieving domain-free access control. In this study, we propose an authentication algorithm for SSO based on a verifiable encryption (VE)-based authentication algorithm and implementation. VE is a kind of cryptosystem that allows calculation on cyphertexts, generating an encrypted result, which matches the distance between two plaintexts when decrypting. In our approach, we first construct the mathematical SSO algorithm based on the VE-based algorithm, and then implement the algorithm by applying the one-time pad to the algorithm and using sample data. We also consider robustness against theoretical attacks such as man-in-the-middle attack. In addition to that, our algorithm is robust against the well-known classical and theoretical attacks, the man-in-the-middle attack against the proposed algorithm is also impracticable. Furthermore, with security analysis using Proverif, the algorithm has been shown to be secure. The execution speed is less than 1 ms even with a text length of 8192 bits.
    [Show full text]
  • Vmware Workspace ONE Access 20.01 Managing User Authentication Methods in Vmware Workspace ONE Access
    Managing User Authentication Methods in VMware Workspace ONE Access JAN 2020 VMware Workspace ONE Access 20.01 Managing User Authentication Methods in VMware Workspace ONE Access You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents 1 Configuring Authentication in VMware Workspace ONE Access 5 2 User Auth Service Authentication Methods in Workspace ONE Access 8 Configuring Password (Cloud) Authentication in Workspace ONE Access 9 Configure Password (Cloud) Authentication with Your Enterprise Directory 10 Configuring RSA SecurID (Cloud) For Workspace ONE Access 13 Prepare the RSA SecurID Server 13 Configure RSA SecurID Authentication in Workspace ONE Access 14 Configuring RADIUS for Workspace ONE Access 16 Prepare the RADIUS Server 16 Configure RADIUS Authentication in Workspace ONE Access 16 Enable User Auth Service Debug Logs In Workspace ONE Access Connector 19 3 Configuring Kerberos Authentication In Workspace ONE Access 21 Configure and Enable Kerberos Authentication in Workspace ONE Access 21 Configuring your Browser for Kerberos 23 Configure Internet Explorer to Access the Web Interface 23 Configure Firefox to Access the Web Interface 24 Configure the Chrome Browser to Access the Web Interface 25 Kerberos Initialization Error in Workspace ONE Access 26 4 Associate Workspace ONE Access Authentication Methods
    [Show full text]
  • Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns
    NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel Karen Scarfone Paul Wouters This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel* Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA Paul Wouters Red Hat Toronto, ON, Canada *Former employee; all work for this publication was done while at NIST This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 June 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • Cloudvision As-A-Service (Cvaas) Quick Start Guide
    CloudVision as-a-Service (CVaaS) Quick Start Guide Arista Networks www.arista.com September 2021 Headquarters Support Sales 5453 Great America Parkway +1 408 547-5502 +1 408 547-5501 Santa Clara, CA 95054 +1 866 476-0000 +1 866 497-0000 USA [email protected] [email protected] +1 408 547-5500 www.arista.com © Copyright 2021 Arista Networks, Inc. All rights reserved. The information contained herein is subject to change without notice. The trademarks, logos and service marks ("Marks") displayed in this documentation are the property of Arista Networks in the United States and other countries. Use of the Marks are subject to Arista Network’s Term of Use Policy, available at www.arista.com/en/terms-of-use. Use of marks belonging to other parties is for informational purposes only. ii Contents Contents 1 CloudVision as-a-Service....................................................................1 1.1 Onboarding at a Glance.........................................................................................................1 1.2 User Onboarding Prerequisites.............................................................................................. 3 1.2.1 Invitation URL........................................................................................................... 3 1.2.2 Authentication Details............................................................................................... 3 1.3 User Onboarding Workflow.................................................................................................... 4 1.3.1
    [Show full text]
  • Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
    iSEC Partners, Inc. – Brad Hill, Principal Consultant Weaknesses and Best Practices of Public Key iSEC Partners, Inc. is Kerberos with Smart Cards a information security firm that specializes in Kerberos V with smart card logon is the “gold standard” of network application, network, authentication for Windows Active Directory networks and interop- host, and product erating systems. Smart cards and Public Key Kerberos are already security. For more widely deployed by governments and large enterprises to protect information about their networks and critical infrastructure, and decreasing prices and iSEC, please refer to an increase in threats against password-based authentication are the Appendix A or making these technologies attractive to even small and medium www.isecpartners.com sized businesses. Unfortunately, network architects, administrators and even experi- enced security professionals tend to place a sort of blind faith in smart cards and Kerberos. The low level details of the protocols and configuration options are little known. Myths and misunder- standings about the limits of these technologies are the norm. This whitepaper will: Give a brief introduction to Kerberos and smart cards Dispel some common myths about smart cards Explore the certificate validation practices of common PKINIT implementations Discuss a practical elevation of privilege exploit possible in common configurations of Windows KDCs Provide step-by-step advice to network architects and administra- tors for securing their smart card deployments While smart cards have definite advantages over passwords, they should be deployed with a realistic understanding of the actual pro- tections they provide. Installations should take advantage of the latest configuration and hardening options available, administrators should continue to audit and work to eliminate outdated protocols like NTLM from their networks, and privileged users should always exercise caution when authenticating to low-integrity workstations, even with a smart card.
    [Show full text]