logo_kerberos.gif

Difference between revisions of "Projects/Revocation"

From K5Wiki
Jump to: navigation, search
m
m
 
Line 7: Line 7:
 
== Possible scenarios and approaches ==
 
== Possible scenarios and approaches ==
   
# Support “Black list” on KDC: KDC stores information about jeopardized clients together with the timestamp when the accident was recorded (e. g. Client lost mobile phone with some active security-sensitive applications and informed KDC about it). If desired, the Application Server may get an access to this information (perhaps, through a special channel/protocol) and acts accordingly;
+
# “Black list” on KDC: KDC stores information about jeopardized clients together with the timestamp when the accident was recorded (e. g. Client lost mobile phone with some active security-sensitive applications and informed KDC about it). The Application Server accesses this information (perhaps, through a special channel/protocol) and acts accordingly;
# Application server observes some malicious activity (e.g. through audit log analysis) and reports it to KDC. KDC acts accordingly. Ideally, the Client (person or service) is also informed (via email or some other communication channel) that his/her credentials are jeopardized;
+
# Application server observes some malicious activity (e.g.from audit log analysis) and reports it to KDC. KDC acts accordingly. Ideally, the Client (person or service) is also informed that his/her credentials are jeopardized;
# KDC learns that client is jeopardized or his/her credentials are changed or revoked, and dispatches warnings to all services that expressed interest in this functionality and may be potentially affected by the accident. The warning is sent only if the ticket for the particular service exists and is still valid.
+
# KDC learns that client is jeopardized and dispatches warnings to all services that may be potentially affected by the accident. The warning is sent only if the ticket for the particular service was issued and it is still valid.
# Forensics: Application server observes the malicious action. It informs KDC about the accident, but continues to serve the intruder to allow some time to track down the originator of the attack.
+
# Forensics: Application server observes the malicious action. It informs KDC about the accident, but continues to serve the hacker to allow time to track down the originator of the attack.
   
 
===Lightweight approach under CAMMAC umbrella ===
 
===Lightweight approach under CAMMAC umbrella ===
   
KDC learns that client is jeopardized or his/her credentials are changed or revoked, and incorporates the revocation information into AD-CAMMAC container for every newly issued ticket.
+
KDC learns that client is jeopardized or his/her credentials are changed or revoked, and incorporates the revocation information into AD-CAMMAC container for every NEWLY issued ticket. Once ticket receiver processes AD-CAMMAC, it can “locally” revoke/filter all existing tickets for that particular user.
  +
   
 
== References ==
 
== References ==

Latest revision as of 22:00, 1 August 2014

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Purpose

Introduce a Revocation functionality into Kerberos eco-system.

Possible scenarios and approaches

  1. “Black list” on KDC: KDC stores information about jeopardized clients together with the timestamp when the accident was recorded (e. g. Client lost mobile phone with some active security-sensitive applications and informed KDC about it). The Application Server accesses this information (perhaps, through a special channel/protocol) and acts accordingly;
  2. Application server observes some malicious activity (e.g.from audit log analysis) and reports it to KDC. KDC acts accordingly. Ideally, the Client (person or service) is also informed that his/her credentials are jeopardized;
  3. KDC learns that client is jeopardized and dispatches warnings to all services that may be potentially affected by the accident. The warning is sent only if the ticket for the particular service was issued and it is still valid.
  4. Forensics: Application server observes the malicious action. It informs KDC about the accident, but continues to serve the hacker to allow time to track down the originator of the attack.

Lightweight approach under CAMMAC umbrella

KDC learns that client is jeopardized or his/her credentials are changed or revoked, and incorporates the revocation information into AD-CAMMAC container for every NEWLY issued ticket. Once ticket receiver processes AD-CAMMAC, it can “locally” revoke/filter all existing tickets for that particular user.


References

  1. http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7817.pdf
  2. http://tools.ietf.org/html/draft-ietf-krb-wg-cammac-07
  3. http://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf (Class FAU_ARP)