[36316] in Kerberos
revocation feature in Kerberos
daemon@ATHENA.MIT.EDU (Zhanna Tsitkov)
Thu Jul 31 16:14:02 2014
From: Zhanna Tsitkov <tsitkova@mit.edu>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 31 Jul 2014 20:13:39 +0000
Message-ID: <3BEA9318-D680-4C4C-A5D7-A81077B94D44@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
I was wondering if there is any interest in the full scale Violation-alarm/Revocation feature for the Kerberos-enabled environments?
There are several possible scenarios/approaches:
1. “Black list” on KDC: KDC stores information about jeopardized clients together with the timestamp when the accident was recorded (e. g. Client lost mobile phone with some active security-sensitive applications and informed KDC about it). The Application Server accesses this information (perhaps, through a special channel/protocol) and acts accordingly;
2. Application server observes some malicious activity (e.g.from audit log analysis) and reports it to KDC. KDC acts accordingly. Ideally, the Client (person or service) is also informed that his/her credentials are jeopardized;
3. KDC learns that client is jeopardized and dispatches warnings to all services that may be potentially affected by the accident. The warning is sent only if the ticket for the particular service was issued and it is still valid.
4. Forensics: Application server observes the malicious action. It informs KDC about the accident, but continues to serve the hacker to allow time to track down the originator of the attack.
All of these scenarios would require extensive design/developmental work. There is, however, a lightweight approach under CAMMAC umbrella (http://tools.ietf.org/html/draft-ietf-krb-wg-cammac-07) when revocation information is incorporated into AD-CAMMAC container and is sent with every NEWLY issued ticket. Once ticket receiver processes AD-CAMMAC, it can “locally” revoke/filter all existing tickets for that particular user.
The relevant NIST document can be found here: http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7817.pdf
Your input and comments are appreciated.
Thanks,
Zhanna
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
