Data Source Kerberos / oauth On the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On
|
|
- Lynn Marshall
- 5 years ago
- Views:
Transcription
1
2 Welcome
3 1 8 B I Data Source Kerberos / oauth On the Wire Explaining Kerberos Constrained Delegation with Protocol Transition and Oauth for Data Source Single Sign On John Kew Manager / Connectivity Tableau Speaker Name (if needed) Job Title Company / Org Name ined Delegation with Protocol Transition And oauth On
4 Everyone dreams of SSO via anything but Kerberos
5
6 Agenda Server settings SQL Server impersonation User filters and data source filters Run as user oauth connections Enable Kerberos delegation
7 User Filters and Data Source Filters
8 Run as User
9 Oauth (and SAML)
10 Why Kerberos?
11 Two-Factor Auth
12 Trust
13 Constrained Delegation
14 Introducing Bagel DB
15 Bageld Bagel Database of the Future /* Bageld - A system for the organization, storage, and retrieval of Bagel information */ John V. Kew Assignment 2 CPEx317 w/ Dr. Nico Winter, 2002 This program sets up a decision tree for the organization of bagel information. The program will use a database file in the local directory called "bagels.db" - If this file does not exist, it will create it so that bagel information can be added. Files: bageld.c bageld.h string.c string.h Compilation: Use cmake Usage:./bageld [bagel database] [optional: kerberos keytab] Without a database, the program will first ask you for a bagel type. Then begin filling the database with Caleb bagels, Monkey bagels, and Toast bagels. All answers are of "yes", "no", [Bagel Name], or a question about a bagel.
16 Bageld Bagel Database of the Future Bagels + Kerberos = Enterprise
17 Single Hop Kerberos with Bagel DB
18 Casting Call Narrator: John Kew Alice the Bagel Database: Jason Burns Microsoft Bob the Active Directory Server: <INSERT YOU> Eve the Bagel Database Client: <INSERT YOU>
19 Single Hop Kerberos: The Setup Narrator: A bagel shop. Alice the Bagel Database is happily responding to requests from customers about all the different types of bagels. But Alice doesn t just trust anyone Microsoft Bob ( to Alice): You have your service key right? Without it I can t vouch for anyone wanting to access your bagel database. Alice: Yeah; totally, my Domain Administrator set me up for Kerberos Authentication. I ll trust the people you trust. (Eve walks into the bagel shop)
20 Review: Who Knows What? Client (Eve) knows her password (Often in keytab) Database Service (Alice) knows her password (Often in keytab) Active Directory / KDC knows everything (Often in LDAP)
21 Authentication Service: Getting a Ticket Granting Ticket (TGT) Eve: Hey Bob; you know me right? Here s my username
22 Authentication Service: Getting a Ticket Granting Ticket (TGT) Microsoft Bob: Yeah; the username is legit; here s a secret message containing a special decoder ring that only you can use. We will use that as our shared decoder ring for future messages. Keep that around, at least for 24 hours. That little key is as good as my word; but if you are who you say you are only you should be able to read this.
23 Authentication Service: Getting a Ticket Granting Ticket (TGT)
24 Authentication Service Login (Client Side) jaas.conf direct.singlehopbageldclient { com.sun.security.auth.module.krb5loginmodule required useticketcache=true }; Login.scala ////////////////////////////////////////////////////////////////////////////////// // Authenticate against the KDC using JAAS. def login(username: String, password: String) = { val loginctx: LoginContext = new LoginContext(configName, new LoginCallbackHandler(username, password)) loginctx.login() this.subject = loginctx.getsubject() }
25 Authentication Service Login (Client Side)
26 Requesting a Service Ticket: Getting a Service Ticket Eve: Thanks Bob; you know I was thinking of starting a transaction with Alice the Bagel Database; you think you could give me a service ticket which I can use to start a transaction? Here is that request encrypted with our cool little decoder ring.
27 Requesting a Service Ticket: Getting a Service Ticket Microsoft Bob: Sure thing; but this ticket is encrypted with Alice s secret decoder ring. She s the only one who can read it. Now leave me alone, it s patch Tuesday and I need some TLC.
28 Requesting a Service Ticket: Getting a Service Ticket
29 Requesting a Service Ticket (Client Side) KerberosClient.scala //////////////////////////////////////////////////////////////////////////////////////////////// // Configure our request for the service TGT println("initializing security context " + subject + " for service " + serviceprincipalname) val gssservername: GSSName = manager.createname(serviceprincipalname, KRB5_PRINCIPAL_NAME_OID) val context:gsscontext = manager.createcontext(gssservername, KRB5_NAME_OID, null, GSSContext.DEFAULT_LIFETIME) val token: Array[Byte] = new Array[Byte](0) // This is a one pass context initialisation. context.requestmutualauth(false) context.requestcreddeleg(true) context.requestanonymity(false) //////////////////////////////////////////////////////////////////////////////////////////////// // Initialize the security context; this is the part that actually // gets the service session setup from the TGS val ticket = context.initseccontext(token, 0, token.length)
30 Wireshark: Authenticating to the Database Eve (to Alice): Hello Bagel Database. Alice: I don t talk to anyone about bagels unless they have a kerberos ticket.
31 Wireshark: Authenticating to the Database Eve (to Alice): Here s my kerberos ticket that I got from our friend, Bob. I encoded it in Base64; because I know that s how you like it.
32 Wireshark: Authenticating to the Database Alice (inspecting and decoding the service ticket): Good news; you are not an intruder!
33 Wireshark: Authenticating to the Database
34 Accepting a Service Ticket (Database Side) bageld.c // Convert from base64 to bytes size_t ticketlength; unsigned char *ticket = base64_decode(input, inputlength, &ticketlength); printf("kerberos: B64Decoded %u [%s]\n", (unsigned int) ticketlength, ticket); gss_buffer_desc gbuf; gbuf.length = ticketlength; gbuf.value = ticket; gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; maj_stat = gss_accept_sec_context(&min_stat, &ctx, GSS_C_NO_CREDENTIAL, &gbuf,gss_c_no_channel_bindings,&name, NULL, &outbuf, &gflags, NULL, NULL); free(ticket); switch (maj_stat) { case GSS_S_COMPLETE: authorized = 1; gss_buffer_desc dsp_name; dsp_name.length = 0; dsp_name.value = NULL; gss_display_name( &min_stat, name, &dsp_name, GSS_C_NO_OID ); printf("kerberos: accepting GSS security context for: %s\n", (char *)(dsp_name.value)); break;
35 Review: Tickets and Keys Exchanged Session key: Used to securely exchange messages between a client and active directory Ticket granting ticket (TGT): Contains the session key to the client from active directory Service ticket (TGS): Contains the session key for communication between the client and a service (database). This can only be decrypted by the service
36 Constrained Delegation with Protocol Transition
37 Constrained Delegation with Protocol Transition Eve: So here s the problem Bob. I can talk to Alice no problem, but my friend Fred is allergic to garlic and cannot set foot inside that bagel shop. Is there a way for me to ask Alice some questions but make her think she is talking to Fred? Bob: Sure. This is called Kerberos Constrained Delegation. You probably also want protocol transition because Fred cannot just forward his credentials into the Bagel shop. You need to file a service ticket with my domain administrator to set this up.
38 Constrained Delegation with Protocol Transition Constrained Delegation: Trust this user for delegation to specified services only Protocol Transition: Use any authentication protocol"
39 Service for User to Self: S4U2Self Eve: Bob? Can I get a service ticket for myself for Fred? I need to be able to make requests for other services, as if I were Fred.
40 Service for User to Self: S4U2Self Bob: Ahh this is called an Service for User to Self (S4U2Self) call. Yup. Here you go.
41 Service for User to Proxy: S4U2Proxy Eve: Thanks. Ok. Now that I can make requests using this service ticket, can I have a service ticket for Alice on behalf of Fred?
42 Service for User to Proxy: S4U2Proxy Bob: Sure. This is an Service for User to Proxy (S4U2Proxy) call. Yup yup yup. Here you go
43 Connecting to the Database Normally Eve: Cool. Now I can talk to Alice normally, and Alice will think I m Fred.
44 Impersonation (Client Side) KerberosClient.scala // Impersonation val gssimpersonatename: GSSName = manager.createname(impersonatename, GSSName.NT_USER_NAME, KRB5_NAME_OID) val self:extendedgsscredential = manager.createcredential(null, GSSCredential.DEFAULT_LIFETIME, KRB5_NAME_OID, GSSCredential.INITIATE_ONLY).asInstanceOf[ExtendedGSSCredential] println("######### IMPERSONATING: " + gssimpersonatename) self.impersonate(gssimpersonatename).asinstanceof[extendedgsscredential]
45 Review: Constrained Delegation w/ Protocol Transition Constrained Delegation: Ability to delegate communication to a service to an intermediate entity (Eve, or Tableau Server) Protocol Transition: Ability to initiate impersonation of a user using a Service For User To Self (S4U2Self) call and an Service For User to Proxy (S4U2Proxy) call without the original user s password being used to retrieve a Ticket Granting Ticket Service Ticket (TGS): Contains the session key for communication between the Client and a Service (Database). This can only be decrypted by the Service
46 Data Source oauth
47 Tableau Data Source oauth Implementations Legacy oauth WDC oauth GALOP oauth Next* oauth
48 oauth Limitations Designed for Web Applications Requires an Accessible Callback Intermediary
49 Tableau Data Source oauth Implementations
50 18BI-113 Thank you! Contact or CTA info goes here
51 R E L AT E D S E S S I O N S Connecting to Datasources for Tableau Server on Linux Thursday, October 12 12:00pm 1:00pm South L3 Palm A Safeguard Your Data: Row Level Security Thursday, October 12 10:30am 11:30am South L2 Mandalay Bay G
52 Help us plan the future
53 Please complete the session survey from the Session Details screen in your TC18 app
54
ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith
ArcGIS Enterprise Security: An Introduction Gregory Ponto & Jeff Smith Agenda ArcGIS Enterprise Security Model Portal for ArcGIS Authentication Authorization Building the Enterprise Encryption Collaboration
More informationNetwork Security: Kerberos. Tuomas Aura
Network Security: Kerberos Tuomas Aura Kerberos authentication Outline Kerberos in Windows domains 2 Kerberos authentication 3 Kerberos Shared-key protocol for user login authentication Uses passwords
More informationRadius, LDAP, Radius, Kerberos used in Authenticating Users
CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos Authentication and Authorization Previously Said that identification, authentication and authorization
More informationRadius, LDAP, Radius used in Authenticating Users
CSCD 303 Lecture 5 Fall 2017 Kerberos Radius, LDAP, Radius used in Authenticating Users Introduction to Centralized Authentication Kerberos is for authentication only and provides Single Sign-on (SSO)
More informationComputers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady
Computers Gone Rogue Abusing Computer Accounts to Gain Control in an Active Directory Environment Marina Simakov & Itai Grady Motivation Credentials are a high value target for attackers No need for 0-day
More informationCIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries
CIS 6930/4930 Computer and Network Security Topic 7. Trusted Intermediaries 1 Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC) Representative
More informationSecurity and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models
CS 645 Security and Privacy in Computer Systems Lecture 7 The Kerberos authentication system Last Week Security policy, security models, trust Access control models The Bell-La Padula (BLP) model The Biba
More informationKerberos on the Web Thomas Hardjono
Kerberos on the Web Thomas Hardjono MIT Kerberos Consortium MIT Kerberos Conference 2007-2009 The MIT Kerberos Consortium. All Rights Reserved. Kerberos Today Enterprise, B2B, B2C Kerberos & Identity Infrastructure
More informationKerberos V5. Raj Jain. Washington University in St. Louis
Kerberos V5 Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/ 11-1
More informationTrusted Intermediaries
AIT 682: Network and Systems Security Topic 7. Trusted Intermediaries Instructor: Dr. Kun Sun Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC)
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 7. Trusted Intermediaries Instructor: Dr. Kun Sun Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC)
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationCT30A8800 Secured communications
CT30A8800 Secured communications Pekka Jäppinen October 31, 2007 Pekka Jäppinen, Lappeenranta University of Technology: October 31, 2007 Authentication Three basic models 1. Something you know Password,
More informationIntroduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.
Trusted Intermediaries CSC/ECE 574 Computer and Network Security Topic 7. Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center () Representative solution:
More informationArcGIS Server and Portal for ArcGIS An Introduction to Security
ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015 Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context
More informationTUT Integrating Access Manager into a Microsoft Environment November 2014
TUT7189 - Integrating Access Manager into a Microsoft Environment November 2014 #BrainShare #NetIQ7189 Session Agenda Integrating Access Manager with Active Directory Federation Services (ADFS) ADFS Basics
More informationKerberos Adapter for webmethods
Kerberos Adapter for webmethods Many webmethods programmers are familiar with the problem of authenticating from.net clients to a webmethods server. Sometimes this is solved by transferring authentication
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos This talk is Based on Tim Madin
More informationPSUMAC101: Intro to Auth
PSUMAC101: Intro to Auth We Are... Jeremy Hill Systems Design Specialist, Applied Information Technology Ryan Coleman Systems Administrator, Applied Information Technology Overview Why, What and When of
More informationModule: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger 1 Kerberos History: from UNIX to Networks (late 80s) Solves: password eavesdropping Also mutual authentication
More informationOpen Source in the Corporate World. Open Source. Single Sign On. Erin Mulder
Open Source in the Corporate World Open Source Single Sign On Erin Mulder Agenda Introduction Single Sign On for Multiple s Shared directory (e.g. OpenLDAP) Proxy systems (e.g. Yale CAS) X.509 certificates
More informationModule: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Kerberos History: from UNIX to Networks (late
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationUnit-VI. User Authentication Mechanisms.
Unit-VI User Authentication Mechanisms Authentication is the first step in any cryptographic solution Authentication can be defined as determining an identity to the required level of assurance Passwords
More informationSecuring ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationKERBEROS PARTY TRICKS
KERBEROS PARTY TRICKS Weaponizing Kerberos Protocol Flaws Geoffrey Janjua Who is Exumbra Operations Group? Security services and consulting Specialized services: Full scope red-team testing, digital and
More informationEnhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation
Enhancing cloud applications by using external authentication services After you complete this section, you should understand: Terminology such as authentication, identity, and ID token The benefits of
More informationKerberos5 1. Kerberos V5
Kerberos5 1 Kerberos V5 Kerberos5 2 ASN.1 data representation language: data structure (ß definition C struct, union), but variable length-arrays, optional elements, labeling,... data representation on
More informationNetwork Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationSingle Sign-On Extensions Library THE BEST RUN. PUBLIC SAP Single Sign-On 3.0 SP02 Document Version:
PUBLIC SAP Single Sign-On 3.0 SP02 Document Version: 1.1 2018-07-31 2018 SAP SE or an SAP affiliate company. All rights reserved. THE BEST RUN Content 1....3 1.1 Extension for Kerberos Constrained Delegation
More informationLeaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market. BADCamp 2017
Leaving the State: Sessionless (Stateless) Authentication in D8 with Whole Foods Market BADCamp 2017 These Guys Dr J Daverth Technical Lead, Whole Foods Market D.O.: dr-jay BitBucket: drjdaverth LinkedIn:
More informationBest Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,
Best Practices: Authentication & Authorization Infrastructure Massimo Benini HPCAC - April, 03 2019 Agenda - Common Vocabulary - Keycloak Overview - OAUTH2 and OIDC - Microservices Auth/Authz techniques
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationDeploy and Enjoy: Tableau Mobile at Enterprise Scale
# D e p l o y E n j o y M o b i l e Deploy and Enjoy: Tableau Mobile at Enterprise Scale Paul Cardon Staff Software Engineer Tableau Sham Dorairaj Senior Software Engineer Tableau # D e p l o y E n j o
More informationKey distribution and certification
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must be ensured. Problem solution: Certification Authority
More information13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.
Key distribution and certification Kerberos In the case of public key encryption model the authenticity of the public key of each partner in the communication must be ensured. Problem solution: Certification
More informationAll about SAML End-to-end Tableau and OKTA integration
Welcome # T C 1 8 All about SAML End-to-end Tableau and OKTA integration Abhishek Singh Senior Manager, Regional Delivery Tableau Abhishek Singh Senior Manager Regional Delivery asingh@tableau.com Agenda
More informationIMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.
IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS VMware Identity Manager February 2017 V1 1 2 Table of Contents Overview... 5 Benefits of BIG-IP APM and Identity
More informationKerberos MIT protocol
Kerberos MIT protocol December 11 th 2009 Amit Shinde Kerberos MIT protocol Motivation behind the design Overview of Kerberos Protocol Kerberized applications Attacks and Security analysis Q & A Motivations
More informationYour Auth is open! Oversharing with OpenAuth & SAML
Your Auth is open! Oversharing with OpenAuth & SAML Andrew Pollack Northern Collaborative Technologies 2013 by the individual speaker Sponsors 2013 by the individual speaker Who Am I? Andrew Pollack President
More informationKerberos and Single Sign On with HTTP
Kerberos and Single Sign On with HTTP Joe Orton Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor support for authentication
More informationCSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni
CSCI 667: Concepts of Computer Security Lecture 9 Prof. Adwait Nadkarni 1 Derived from slides by William Enck, Micah Sherr, Patrick McDaniel, Peng Ning, and Vitaly Shmatikov Authentication Alice? Bob?
More informationSecuring ArcGIS Server Services An Introduction
2013 Esri International User Conference July 8 12, 2013 San Diego, California Technical Workshop Securing ArcGIS Server Services An Introduction David Cordes & Derek Law Esri - Redlands, CA Agenda Security
More informationThe Kerberos Authentication Service
The Kerberos Authentication Service By: Cule Stevan ID#: 0047307 SFWR 4C03 April 4, 2005 Last Revision: April 5, 2005 Stevan Cule 0047307 SOFTWARE ENGINEERING 4C03 WINTER 2005 The Kerberos Authentication
More information[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol
[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft
More informationWindows Authentication With Multiple Domains and Forests
Windows Authentication With Multiple Domains and Forests Stefan Metzmacher Samba Team / SerNet 2017-09-13 Check for updates: https://samba.org/~metze/presentations/2017/sdc/ Update from
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationWarm Up to Identity Protocol Soup
Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital
More informationVintela Single Sign-On for Java Reference Manual
Vintela Single Sign-On for Java Reference Manual Standard Edition 3.3 2008 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described
More informationOutline Key Management CS 239 Computer Security February 9, 2004
Outline Key Management CS 239 Computer Security February 9, 2004 Properties of keys Key management Key servers Certificates Page 1 Page 2 Introduction Properties of Keys It doesn t matter how strong your
More informationCSCE 813 Internet Security Kerberos
CSCE 813 Internet Security Kerberos Professor Lisa Luo Fall 2017 What is Kerberos? An authentication server system from MIT; versions 4 and 5 Provide authentication for a user that works on a workstation
More informationUser Authentication Principles and Methods
User Authentication Principles and Methods David Groep, NIKHEF User Authentication - Principles and Methods 1 Principles and Methods Authorization factors Cryptographic methods Authentication for login
More informationUnified Secure Access Beyond VPN
Unified Secure Access Beyond VPN Luboš Klokner F5 Systems Engineer lubos@f5.com +421 908 755152 @lklokner Humans v. Technology F5 Networks, Inc Agenda Introduction General APM Use-Cases APM Use-Cases from
More informationKEY DISTRIBUTION AND USER AUTHENTICATION
KEY DISTRIBUTION AND USER AUTHENTICATION Key Management and Distribution No Singhalese, whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationNetwork Security: Classic Protocol Flaws, Kerberos. Tuomas Aura
Network Security: Classic Protocol Flaws, Kerberos Tuomas Aura Outline Classic key-exchange protocols and flaws Kerberos authentication Kerberos in Windows domains 2 Classic key-exchange protocols and
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationKerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008
Kerberos Pehr Söderman Pehrs@kth.se Natsak08/DD2495 CSC KTH 2008 Project Athena Started 1983 at MIT 10 000 workstations 1000 servers Unified enviroment Any user, any workstation, any server, anywhere...
More informationArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT
ArcGIS Enterprise Security: An Introduction Randall Williams Esri PSIRT Agenda ArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users ArcGIS Enterprise Security Model Portal for ArcGIS Authentication
More informationArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith
Enterprise Security: Advanced Gregory Ponto & Jeff Smith Agenda Focus: Security best practices for Enterprise Server Portal for 10.5.x Features Strongly Recommend: Knowledge of Server and Portal for Security
More informationAuthentication. Overview of Authentication systems. IT352 Network Security Najwa AlGhamdi
Authentication Overview of Authentication systems 1 Approaches for Message Authentication Authentication is process of reliably verifying the identity of someone. Authentication Schemes 1. Password-based
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationSpotfire Security. Peter McKinnis July 2017
Spotfire Security Peter McKinnis July 2017 Outline Authentication in Spotfire Spotfire Server 7.9 Sites Feature and Authentication Authorization in Spotfire Data Security Spotfire Statistics Services Security
More informationCSC 774 Network Security
CSC 774 Network Security Topic 2. Review of Cryptographic Techniques CSC 774 Dr. Peng Ning 1 Outline Encryption/Decryption Digital signatures Hash functions Pseudo random functions Key exchange/agreement/distribution
More informationSINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS
SINGLE SIGN ON SOLUTIONS FOR ICS PRODUCTS Gabriella Davis - gabriella@turtlepartnership.com IBM Lifetime Champion for Social Business The Turtle Partnership 1 Admin of all things and especially quite complicated
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationHow to Aggregate Friends and Influence Pivots
Welcome # T C 1 8 How to Aggregate Friends and Influence Pivots Steven McDonald Senior Software Engineer Tableau Prep Issa Beekun Software Engineer Tableau Prep Agenda 6 things this presentation will do
More informationValidations vs. Filters
Validations vs. Filters Advice (DRYness) Validation Filter Check invariants on model Check conditions for allowing controller action to run Pointcut AR model lifecycle hooks Before and/or after any public
More informationSoftware as a Service Multi-tenant Data Architecture. Frederick Chong Architect DPE Architecture Strategy Microsoft Corporation
Software as a Service Multi-tenant Data Architecture Frederick Chong Architect DPE Architecture Strategy Microsoft Corporation Agenda SIMT principles and considerations Database options for storing multi-tenant
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationSecurity: Focus of Control. Authentication
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationKerberos Introduction. Jim Binkley-
Kerberos Introduction Jim Binkley- jrb@cs.pdx.edu 1 outline intro to Kerberos (bark, bark) protocols Needham Schroeder K4 K5 miscellaneous issues conclusion 2 Kerberos history Kerberos came from MIT part
More informationKerberos and Active Directory symmetric cryptography in practice COSC412
Kerberos and Active Directory symmetric cryptography in practice COSC412 Learning objectives Understand the function of Kerberos Explain how symmetric cryptography supports the operation of Kerberos Summarise
More informationClient-Server mutual authentication
Client-Server mutual authentication This guide describes how to enable secure communication between client and server using SASL mechanism ZooKeeper supports Kerberos o r DIGEST-MD5 as your authentication
More informationGSI Online Credential Retrieval Requirements. Jim Basney
GSI Online Credential Retrieval Requirements Jim Basney jbasney@ncsa.uiuc.edu http://www.ncsa.uiuc.edu/~jbasney/ Online Credential Retrieval Defined Client Server Authenticate Request Credential Verify
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationSecurity & Privacy. Larry Rudolph. Pervasive Computing MIT SMA 5508 Spring 2006 Larry Rudolph
Security & Privacy Larry 1 Who cares about Privacy? Everybody? Nobody? Criminals? Governments? Corporations? Privacy is the right to keep information hidden. But there is lots of information. You do not
More informationWorkspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902
Workspace ONE UEM Certificate Authentication for EAS with ADCS VMware Workspace ONE UEM 1902 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationData encryption & security. An overview
Data encryption & security An overview Agenda Make sure the data cannot be accessed without permission Physical security Network security Data security Give (some) people (some) access for some time Authentication
More informationSAS Viya 3.3 Administration: Authentication
SAS Viya 3.3 Administration: Authentication Authentication: Overview...................................................................... 1 Authentication: How To........................................................................
More informationSingle Sign-On Showdown
Single Sign-On Showdown ADFS vs Pass-Through Authentication Max Fritz Solutions Architect SADA Systems #ITDEVCONNECTIONS Azure AD Identity Sync & Auth Timeline 2009 2012 DirSync becomes Azure AD Sync 2013
More information6. Security Handshake Pitfalls Contents
Contents 1 / 45 6.1 Introduction 6.2 Log-in Only 6.3 Mutual Authentication 6.4 Integrity/Encryption of Data 6.5 Mediated Authentication (with KDC) 6.6 Bellovin-Merrit 6.7 Network Log-in and Password Guessing
More informationCS 425 / ECE 428 Distributed Systems Fall 2017
CS 425 / ECE 428 Distributed Systems Fall 2017 Indranil Gupta (Indy) Dec 5, 2017 Lecture 27: Security All slides IG Security Threats Leakage Unauthorized access to service or data E.g., Someone knows your
More informationCryptography Worksheet
Cryptography Worksheet People have always been interested in writing secret messages. In ancient times, people had to write secret messages to keep messengers and interceptors from reading their private
More informationKerberos & HPC Batch systems. Matthieu Hautreux (CEA/DAM/DIF)
Kerberos & HPC Batch systems Matthieu Hautreux (CEA/DAM/DIF) matthieu.hautreux@cea.fr Outline Kerberos authentication HPC site environment Kerberos & HPC systems AUKS From HPC site to HPC Grid environment
More informationUser Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017
User Management Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017 Agenda Introduction User Management Federation Objectives 1 Introduction NextGEOSS High-Level Architecture DataHub harvest
More informationAuthentication for Web Services. Ray Miller Systems Development and Support Computing Services, University of Oxford
Authentication for Web Services Ray Miller Systems Development and Support Computing Services, University of Oxford Overview Password-based authentication Cookie-based authentication
More information5. Authentication Contents
Contents 1 / 47 Introduction Password-based Authentication Address-based Authentication Cryptographic Authentication Protocols Eavesdropping and Server Database Reading Trusted Intermediaries Session Key
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationHow to Integrate an External Authentication Server
How to Integrate an External Authentication Server Required Product Model and Version This article applies to the Barracuda Load Balancer ADC 540 and above, version 5.1 and above, and to all Barracuda
More informationCourse Administration
Lecture 6: Hash Functions, Message Authentication and Key Distribution CS 392/6813: Computer Security Fall 2010 Nitesh Saxena *Adopted from Previous Lectures by Nasir Memon Course Administration HW3 was
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationActive Directory Attacks and Detection Part -III
Active Directory Attacks and Detection Part -III #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos Key Takeaways Abusing
More informationKerberos and NFS4 on Linux. isginf Workshop
Kerberos and NFS4 on Linux isginf Workshop Stefan Walter 13.03.18 1 Welcome First workshop we organize! Background info and three practical labs Goal is to show you how to get NFS4 with Kerberos working
More information