web access of kerberized servicescs701/old/2004-05/projects/g8.pdf · certificate verify (cv)...
TRANSCRIPT
![Page 1: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/1.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Web Access Of Kerberized Services
Aniket P Kate, Sapna Jain, Kriti Puniyani
Oct 31, 2004Under the Guidance Of
Prof. G. Sivakumar
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 2: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/2.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Kerberos
Kerberos is a network authentication protocol that lets clients andservers reliably verify each others identities before establishing anetwork connection.
Centralized Authentication System It authenticates users toservers and servers to users.
Provides Single Sign-on User has to log on to the Kerberos serveronly once and can then access all Kerberized serviceswithout repeated authentication.
Authentication Server (AS) AS authenticates the user and createsa Ticket Granting Ticket (TGT).
Ticket Granting Server (TGS) Once the user acquires a TGT, theTGS creates tickets for the requested service.Using that ticket, the user can access the Kerberizedservice.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 3: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/3.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Kerberos
Kerberos is a network authentication protocol that lets clients andservers reliably verify each others identities before establishing anetwork connection.
Centralized Authentication System It authenticates users toservers and servers to users.
Provides Single Sign-on User has to log on to the Kerberos serveronly once and can then access all Kerberized serviceswithout repeated authentication.
Authentication Server (AS) AS authenticates the user and createsa Ticket Granting Ticket (TGT).
Ticket Granting Server (TGS) Once the user acquires a TGT, theTGS creates tickets for the requested service.Using that ticket, the user can access the Kerberizedservice.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 4: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/4.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Kerberos
Kerberos is a network authentication protocol that lets clients andservers reliably verify each others identities before establishing anetwork connection.
Centralized Authentication System It authenticates users toservers and servers to users.
Provides Single Sign-on User has to log on to the Kerberos serveronly once and can then access all Kerberized serviceswithout repeated authentication.
Authentication Server (AS) AS authenticates the user and createsa Ticket Granting Ticket (TGT).
Ticket Granting Server (TGS) Once the user acquires a TGT, theTGS creates tickets for the requested service.Using that ticket, the user can access the Kerberizedservice.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 5: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/5.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Kerberos
Kerberos is a network authentication protocol that lets clients andservers reliably verify each others identities before establishing anetwork connection.
Centralized Authentication System It authenticates users toservers and servers to users.
Provides Single Sign-on User has to log on to the Kerberos serveronly once and can then access all Kerberized serviceswithout repeated authentication.
Authentication Server (AS) AS authenticates the user and createsa Ticket Granting Ticket (TGT).
Ticket Granting Server (TGS) Once the user acquires a TGT, theTGS creates tickets for the requested service.Using that ticket, the user can access the Kerberizedservice.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 6: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/6.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Kerberos
Kerberos is a network authentication protocol that lets clients andservers reliably verify each others identities before establishing anetwork connection.
Centralized Authentication System It authenticates users toservers and servers to users.
Provides Single Sign-on User has to log on to the Kerberos serveronly once and can then access all Kerberized serviceswithout repeated authentication.
Authentication Server (AS) AS authenticates the user and createsa Ticket Granting Ticket (TGT).
Ticket Granting Server (TGS) Once the user acquires a TGT, theTGS creates tickets for the requested service.Using that ticket, the user can access the Kerberizedservice.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 7: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/7.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Overview of Kerberos Protocol
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 8: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/8.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Secure Socket Layer (SSL)
Securing Web Communication Secure Sockets Layer is a protocoldeveloped by Netscape for transmitting data securelyvia the Internet.
Provides Authentication The SSL security protocol provides dataencryption, server authentication, message integrity,and optional client authentication for a TCP/IPconnection.
Uses Certificates SSL uses public key cryptography, in particularcertificates for authentication, and secret keycryptography to provide confidentiality and integrityof message.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 9: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/9.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Secure Socket Layer (SSL)
Securing Web Communication Secure Sockets Layer is a protocoldeveloped by Netscape for transmitting data securelyvia the Internet.
Provides Authentication The SSL security protocol provides dataencryption, server authentication, message integrity,and optional client authentication for a TCP/IPconnection.
Uses Certificates SSL uses public key cryptography, in particularcertificates for authentication, and secret keycryptography to provide confidentiality and integrityof message.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 10: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/10.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Secure Socket Layer (SSL)
Securing Web Communication Secure Sockets Layer is a protocoldeveloped by Netscape for transmitting data securelyvia the Internet.
Provides Authentication The SSL security protocol provides dataencryption, server authentication, message integrity,and optional client authentication for a TCP/IPconnection.
Uses Certificates SSL uses public key cryptography, in particularcertificates for authentication, and secret keycryptography to provide confidentiality and integrityof message.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 11: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/11.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Secure Socket Layer (SSL)
Securing Web Communication Secure Sockets Layer is a protocoldeveloped by Netscape for transmitting data securelyvia the Internet.
Provides Authentication The SSL security protocol provides dataencryption, server authentication, message integrity,and optional client authentication for a TCP/IPconnection.
Uses Certificates SSL uses public key cryptography, in particularcertificates for authentication, and secret keycryptography to provide confidentiality and integrityof message.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 12: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/12.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Overview of SSL Protocol
Client Hello (CH)
Server Hello (SH)
Server Certificate (SC)
Server Certificate Request (SCR)
Client Certificate (CC)
Client Key Exchange (CKE)
Certificate Verify (CV)
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 13: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/13.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Overview of SSL Protocol
Client Hello (CH)
Server Hello (SH)
Server Certificate (SC)
Server Certificate Request (SCR)
Client Certificate (CC)
Client Key Exchange (CKE)
Certificate Verify (CV)
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 14: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/14.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Overview of SSL Protocol
Client Hello (CH)
Server Hello (SH)
Server Certificate (SC)
Server Certificate Request (SCR)
Client Certificate (CC)
Client Key Exchange (CKE)
Certificate Verify (CV)
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 15: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/15.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Overview of SSL Protocol
Client Hello (CH)
Server Hello (SH)
Server Certificate (SC)
Server Certificate Request (SCR)
Client Certificate (CC)
Client Key Exchange (CKE)
Certificate Verify (CV)
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 16: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/16.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Overview of SSL Protocol
Client Hello (CH)
Server Hello (SH)
Server Certificate (SC)
Server Certificate Request (SCR)
Client Certificate (CC)
Client Key Exchange (CKE)
Certificate Verify (CV)
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 17: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/17.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Overview of SSL Protocol
Client Hello (CH)
Server Hello (SH)
Server Certificate (SC)
Server Certificate Request (SCR)
Client Certificate (CC)
Client Key Exchange (CKE)
Certificate Verify (CV)
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 18: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/18.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
KerberosSSL Protocol
Overview of SSL Protocol
Client Hello (CH)
Server Hello (SH)
Server Certificate (SC)
Server Certificate Request (SCR)
Client Certificate (CC)
Client Key Exchange (CKE)
Certificate Verify (CV)
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 19: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/19.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Need for Web based Access to Kerberized servicesProblem Definition
Need for Web based Access to Kerberized services
If you have a distributed system with multiple services beingoffered, using the single sign-on capability and security provided byKerberos, then such services cannot be accessed securely over theinternet.
IIT system is Kerberized - print service, mail service, NFS
Professor Siva wants to access tutorials on his NFS directory,set a question paper, and print it (and also check his mailsimultaneously) from outside the campus.
Allowing access to the Kerberized services directly over theinternet will compromise the security in Kerberos.
SSL is almost universally used for secure web transactions.
Hence we aim to use SSL to provide secure web based accessto Kerberized services.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 20: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/20.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Need for Web based Access to Kerberized servicesProblem Definition
Problem Definition
We aim to provide support for secured Web-based access toKerberized services, where SSL will be used for secure connectionbetween the client and the web server.
However, SSL provides authentication using public key credentials,while Kerberos utilises tickets for the same.
Hence, we need a bridge between the secure Web communicationusing SSL and the secure Intranet authentication using Kerberos.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 21: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/21.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Need for Web based Access to Kerberized servicesProblem Definition
Problem Definition
We aim to provide support for secured Web-based access toKerberized services, where SSL will be used for secure connectionbetween the client and the web server.
However, SSL provides authentication using public key credentials,while Kerberos utilises tickets for the same.
Hence, we need a bridge between the secure Web communicationusing SSL and the secure Intranet authentication using Kerberos.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 22: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/22.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Need for Web based Access to Kerberized servicesProblem Definition
Problem Definition
We aim to provide support for secured Web-based access toKerberized services, where SSL will be used for secure connectionbetween the client and the web server.
However, SSL provides authentication using public key credentials,while Kerberos utilises tickets for the same.
Hence, we need a bridge between the secure Web communicationusing SSL and the secure Intranet authentication using Kerberos.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 23: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/23.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Need for Web based Access to Kerberized servicesProblem Definition
Problem Definition
We aim to provide support for secured Web-based access toKerberized services, where SSL will be used for secure connectionbetween the client and the web server.
However, SSL provides authentication using public key credentials,while Kerberos utilises tickets for the same.
Hence, we need a bridge between the secure Web communicationusing SSL and the secure Intranet authentication using Kerberos.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 24: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/24.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Design CriteriaCollaboration DiagramActivity Diagram
Related Work
Web Server impersonating Client
1 Client will provide kerberos identity and password to webserver through SSL.
2 Web server will do the authentication for client at theKerberos server.
3 Then client will request for the required Kerberized servicealong with parameters.
4 The Web server impersonating the user will acquire theservice ticket, and provide the service to the user.
Risk Involved
This gives unlimited power to Web Server to impersonate users,which is a significant security risk.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 25: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/25.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Design CriteriaCollaboration DiagramActivity Diagram
Related Work
Web Server impersonating Client
1 Client will provide kerberos identity and password to webserver through SSL.
2 Web server will do the authentication for client at theKerberos server.
3 Then client will request for the required Kerberized servicealong with parameters.
4 The Web server impersonating the user will acquire theservice ticket, and provide the service to the user.
Risk Involved
This gives unlimited power to Web Server to impersonate users,which is a significant security risk.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 26: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/26.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Design CriteriaCollaboration DiagramActivity Diagram
Related Work Contd...
Plugin on client side
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 27: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/27.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Design CriteriaCollaboration DiagramActivity Diagram
Design Criteria
The following points are hence taken into consideration during thedesign:
1 Use existing security infrastructure and mechanisms forauthentication and authorization.
2 Restrict and Control Web Server actions throughauthorization mechanisms.
3 Use off-the-shelf software as much as possible, and modify theWeb Server, rather than the browser.
4 Added features should not require additional user interaction,providing transparent access to resources.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 28: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/28.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Design CriteriaCollaboration DiagramActivity Diagram
Our Proposed Solution - Kerberos Credential Translator
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 29: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/29.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Design CriteriaCollaboration DiagramActivity Diagram
Kerberos Credential Translator
Backend services use Kerberos for authentication, while the WebServer uses SSL with Public key cryptography for the same.We use a Kerberos Credential Translator (KCT), that translatesPK credentials of the user into a Kerberos service ticket.
Process
The user is authenticated by the Web Server using SSL andhis public key credentials.
The Web server gives the proof of authentication to the KCT.
The KCT authenticates both the Web server and the user.
The KCT then provides the corresponding Kerberos serviceticket for the user to the Web server.
Using the ticket provided, the Web server can access theKerberized service, and provide it to the user.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 30: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/30.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Design CriteriaCollaboration DiagramActivity Diagram
Collaboration Diagram
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 31: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/31.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Design CriteriaCollaboration DiagramActivity Diagram
Activity Diagram 1
Authentication Server Web Server TGS
Request Ticket Granting Ticket
Check Identity
Issue TGT and Session Key
Request Service Ticket for KCT
Check TGT
Check Identity
Issue ST for KCT
Access KCT
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 32: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/32.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Design CriteriaCollaboration DiagramActivity Diagram
Activity Diagram 2
Browser (Client) Web Server KCT
Request Kerberized Service
Receive Request
Check Type
Validate User
Validate Request
Send Ticket for Service
Call Kerberized Service
Receive Service
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 33: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/33.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
Kerberized Credential Translator(KCT) Design
The KCT accepts the transcript of the SSL handshake from theWeb server along with the Web Server’s KCT-ticket and theservice for which a ticket is required by the client, and performsthe foll. steps:
1 Validate user and server certificates.
2 Verify client signature by recomputing the hash of thehandshake.
3 Verify that the server certificate identity matches the Kerberosidentity.
4 Check the timestamp to ensure the time validity.
5 Generate a service ticket for the user.
6 Encrypt the service ticket using server’s session key.
7 Return the encrypted ticket to the webserver.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 34: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/34.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
Writing a module for Apache
1 A function called hook type-checker is written to check ifincoming request should be handled by the module.
2 Define various hook functions that are called for theprocessing of various events of the module.
3 Define a module data structure that defines the interactionbetween the http core, and the module.
4 Register all hooks within the module with the http core sothat they are visible and accessible to other modules.
5 Define configuration parameters for the module.
6 Compile the module, and integrate it with Apache using apxsto register the module in httpd.conf, and move the object intothe Apache lib directory.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 35: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/35.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
Web Server Design : Modification of Apache Code
Addition of module : kct mod
Status : Experimental
Modules with which it will interact: http config.h, http core.h, http log.h
Module Data Structure: kct mod ( glue between the httpd core and themodule )
module AP MODULE DECLARE DATA kct mod = {STD20 MODULE STUFF, /*defines config parameters*/NULL, /*create per-dir config struct*/NULL, /*merge per-dir config struct*/NULL, /*create per-server config struct*/NULL, /*merge per-server config struct*/kct mod config cmds, /*config directives table*/kct mod register hooks /*register hooks*/};
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 36: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/36.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
Hook Functions Defined
kct service ticket() :
1 if (!TGT) kct server authenticate()2 if (!KCT-ticket) kct access()3 get transcript of user authentication from file4 send transcript, service request, and KCT-ticket to
KCT5 receive service ticket from KCT and store in a file
kct server authenticate() :
1 authenticate self to AS2 get TGT from AS and store in file
kct access() :
1 send TGT to TGS, and request for KCT access ticket2 get KCT-ticket from TGS and store in file
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 37: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/37.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
Configuration And Registration
Register Hooks Define a kct mod register hooks() function
Hook type-checker Checks if incoming request is for a kerberizedservice. Defined as a kct mod method handler
Configuration Parameters Defined in kct mod config cmds
1 kerberized=TRUE2 address-of-KDC3 address-of-TGS4 address-of-KCT
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 38: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/38.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
OpenSSL Library
1 The SSL protocol has to maintain a transcript of theHandshake.
2 Hence the OpenSSL library has to be modified to keep trackof incoming and outgoing handshake messages, and copythem into a transcript file.
3 This is a minor modification to the library.4 The transcript contains:
client hello and server hello messagesserver certificate and server hello done messagesclient certficate and client key exchangecertificate verify message
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 39: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/39.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
Implementation Plan
Implement the Kerberised Credential Translator(KCT)modules as defined in the design.
Implement the kct mod module designed for adding KCTsupport to the Apache Web Server, as explained.
Modify the OpenSSL Library to be able to record thetranscript of the SSL handshake in a file.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 40: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/40.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
Conclusions
Thus, we designed a system for providing secure Web basedaccess to Kerberized services.
The Kerberos and SSL protocols were studied, and theprotocol was designed for our system.
A detailed interface has been designed for both the ApacheWeb server, and the Kerberized Credential Translator.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 41: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/41.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
References
Apache Software Foundation.Apache web server http://www.apache.org.
P. Dousti.Project minotaur: Kerberizing the web.Software at Carnegie Mellon University.
Olga Kornievskaia.Symmetric and Asymmetric Authentication.PhD thesis, Computer Science and Engineering at Universityof Michigan, June 2002.
Olga Kornievskaia, Peter Honeyman, Bill Doster, and KevinCoffman.Kerberized credential translation: A solution to web accesscontrol.
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 42: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/42.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
Analysis of SSL Performance
Workload Cost Of Operation
CPU Freq. Trace Apache (ops) Apache+SSL(ops) RSA (%)
500 MHz e-com 1370 147 58
500 MHz data 610 149 23
933 MHz e-com 2200 261 57
933 MHz data 885 259 20
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services
![Page 43: Web Access Of Kerberized Servicescs701/old/2004-05/Projects/G8.pdf · Certificate Verify (CV) Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services. Introduction](https://reader035.vdocuments.mx/reader035/viewer/2022070822/5f246931a0a12a531371406d/html5/thumbnails/43.jpg)
IntroductionProblem Definition
Protocol DesignInterface Design
Kerberized Credential Translator(KCT) DesignApache Web Server DesignOpenSSL ModificationsConclusion & References
Throughput of the Apache Web Server
Aniket P Kate, Sapna Jain, Kriti Puniyani Web Access Of Kerberized Services