We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Kerberos PKINIT: what, why, and how (to break it)

00:00
subtitles
off
playback rate
1
quality
720p
subtitles
off
Englisch (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
720p
480p
360p
240p
 Cite
 Share
 Related Material
 Download Purchase
FOSDEM VZW
 Tweedale, Fraser

Formal Metadata

Title
Kerberos PKINIT: what, why, and how (to break it)
Title of Series
Number of Parts
Author
Contributors
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
The Kerberos PKINIT extension replaces password authentication with X.509 PKI. This bring some advantages but also new risks. This presentation explains and demonstrates how PKINIT works, and presents a novel attack against FreeIPA's PKINIT implementation. Kerberos is an authentication and single sign-on protocol based on symmetric cryptography. To avoid the drawbacks and risks of passwords, the PKINIT protocol extension enables clients to authenticate using public key cryptography and X.509 certificates. To further improve security, private keys can reside and signing/decrytion operations can be performed on hardware cryptographic tokens (smart card, PIV, TPM, etc). I will start the talk with a brief overview of the core Kerberos protocol. Next I will explain how the PKINIT extension works, and demonstrate how to set up and use PKINIT in a FreeIPA environment. (FreeIPA is a free software identity management system that includes MIT Kerberos and Dogtag PKI.) Finally I will discuss some of the risks that arise when using PKINIT, and security considerations for implementers and deployers. I will present and demonstrate a recently discovered PKINIT security flaw in some older (but still supported) versions of FreeIPA.
00:00
Kerberos <Kryptologie>Demo (music)Information securityText editorCryptographyCommunications protocolAuthenticationService (economics)Active DirectoryIdentity managementClient (computing)Distribution (mathematics)Raw image formatPrincipal idealPasswordServer (computing)InformationIdentity managementSymmetric-key algorithmCommunications protocolSingle sign-onAuthenticationInformation securityKerberos <Kryptologie>Key (cryptography)PasswordServer (computing)Client (computing)Line (geometry)Service (economics)Dependent and independent variablesInformationDistribution (mathematics)AlgorithmData storage deviceEncryptionField extensionCartesian coordinate system2 (number)Term (mathematics)TimestampRevision controlAdditionImplementationSinc functionExecution unitNamespaceFreewareSelf-organizationDemo (music)Message passingComputer fileDiagramComputer animation
07:09
Communications protocolKerberos <Kryptologie>Client (computing)Text editorSoftware frameworkMechanism designAuthenticationPressure volume diagramDisintegrationField extensionSingle-precision floating-point formatPasswordInformation overloadComputer networkRotationSign (mathematics)Public key certificateMessage passingCryptographyRaw image formatElectronic signatureKeyboard shortcutDependent and independent variablesAlgorithmAnalogyEncryptionPersonal identification numberInformationDefault (computer science)Texture mappingRule of inferenceLoginPlastikkarteSimilarity (geometry)Public key certificateLoginKey (cryptography)AuthenticationObject (grammar)Principal idealData storage devicePoint (geometry)Direct numerical simulationExterior algebraInformation securityMatching (graph theory)BitPublic-key cryptographyField (computer science)Single sign-onUser interfaceRSA (algorithm)Digital rights managementQuery languageClient (computing)Kerberos <Kryptologie>Electronic signatureInclusion mapDependent and independent variablesAuthorizationSoftware frameworkAdditionCommunications protocolService (economics)Directory serviceAlgorithmInformationExtension (kinesiology)Connected spaceTerm (mathematics)Direction (geometry)Multiplication signPasswordTexture mappingCASE <Informatik>Rule of inferenceField extensionPrice indexINTEGRALAttribute grammarInformation overloadComputer networkCryptographyOverhead (computing)TimestampPlastikkarteComputer animation
14:14
PasswordSoftware testingPrincipal idealMetreGraphical user interfaceDemo (music)Type theoryService (economics)DemoscenePasswordPublic key certificateDirectory service
15:18
AuthenticationOrder (biology)AuthenticationPrincipal ideal
16:14
PasswordClient (computing)Public-key infrastructureRenewal theoryComputer hardwarePlastikkartePrincipal idealPersonal identification numberElectronic signatureRaw image formatAdditionPublic key certificateKeyboard shortcutKerberos <Kryptologie>Storage area networkExtension (kinesiology)Formal verificationIntegral domainDatabaseHeuristicOverhead (computing)Address spaceEmailEmailPrincipal idealComputer hardwareAuthenticationInformation securityPasswordCommunications protocolClient (computing)Exterior algebraPublic key certificateDirect numerical simulationService (economics)Renewal theoryDefault (computer science)FreewareKey (cryptography)Computer animation
18:14
Wide area networkSoftware testingGame theoryDistribution (mathematics)Numerical digitAuthenticationWorld Wide Web ConsortiumRSA (algorithm)Electronic signatureCryptographyPublic key certificateServer (computing)Principal ideal
18:36
AuthenticationDistribution (mathematics)AlgorithmWorld Wide Web ConsortiumInjektivitätDigital filterDefault (computer science)Configuration spacePublic key certificateEmailAddress spaceSoftware testingTime domainDirect numerical simulationDemo (music)Software bugMatching (graph theory)EmailRule of inferenceConfiguration spaceFreewareAliasingDefault (computer science)Validity (statistics)Filter <Informatik>Physical systemPublic key certificateBoolean algebraQuery languagePrincipal idealRevision controlComputer animation
20:35
MathematicsAlgorithmAuthenticationPrincipal idealGamma functionRule of inferenceMatching (graph theory)Public key certificateoutputKeyboard shortcutInformation securityAttribute grammarDatabaseLink (knot theory)Rule of inferenceElectronic mailing listFilter <Informatik>Public key certificateExpressionOverhead (computing)Term (mathematics)Physical systemPoint (geometry)Profil (magazine)Information securityBoolean algebraSoftwareKey (cryptography)outputCartesian coordinate systemContext awarenessAttribute grammarRevision controlEmailProduct (business)Link (knot theory)Vulnerability (computing)Demo (music)Domain nameMultiplication signComputer animation
23:59
Wireless Markup LanguageSoftware testingPasswordPhase transitionPrincipal idealColor managementMaxima and minimaExecution unitServer (computing)1 (number)Texture mappingRule of inference
24:20
PasswordTexture mappingRule of inferenceError messageDegree (graph theory)World Wide Web ConsortiumSet-top boxTexture mappingRule of inference
24:56
Texture mappingRule of inferenceError messagePasswordSoftware testingIcosahedronInformation managementGamma functionPublic key certificate
25:28
Texture mappingWorld Wide Web ConsortiumManufacturing execution systemError messagePasswordLie groupSoftware testingGamma functionAlgorithmUniform boundedness principleDistribution (mathematics)AuthenticationRSA (algorithm)Public key certificate
25:50
AuthenticationRule of inferenceError messagePublic key certificateTexture mappingPrincipal idealPasswordWorld Wide Web ConsortiumSoftware testingEvent horizonCache (computing)Maxima and minimaSlide ruleEmailBlogAliasingComputer animation
26:12
Program flowchart
Transcript: Englisch(auto-generated)