Page 37 - StudyBook.pdf
P. 37
General Security Concepts: Access Control, Authentication, and Auditing • Chapter 1 21
Kerberos uses a time stamp and we need to understand where and when the
time stamp is used. Previously mentioned was the concept of non-repudiation (see
Chapter 9), which is one reason for the use of the time stamps. In the case of
Kerberos, the time stamp is also used to limit the possibility of replay or spoofing of
credentials (see Chapter 2). Replay is the capture of information, modification of
the captured information, and retransmission of the modified information to the
entity waiting to receive the communication. If unchecked, this allows for imper-
sonation of credentials when seeking access. Spoofing is the substitution of
addressing or authentication information to try to attain access to a resource based
on information acceptable to the receiving host, but not truly owned by the
sender.The initial time stamp refers to any communication between the entity
requesting authentication and the KDC. Normally, this initial time period will not
be allowed to exceed ten minutes if based on the MIT Kerberos software default.
Microsoft’s Kerberos implementation has a five-minute time delta. If clocks are not
synchronized between the systems, the credentials (tickets) will not be granted if
the time differential exceeds the established limits. Session tickets from the KDC to
a resource must be presented within this time period or they will be discarded.The
session established between the resource server and the requesting entity is also
time-stamped, but generally lasts as long as the entities logon credential is valid.
This can be affected by system policies like logon hour restrictions, which are
defined in the original access token.TGT tickets are not part of the default five-
minute period. Rather, they are cached locally on the machine, and are valid for
the duration of the logged-on session.
CHAP
One of the methods that can be used to protect information when using remote
access to a resource is the Challenge Handshake Authentication Protocol (CHAP).
CHAP is a remote access authentication protocol used in conjunction with Point-
to-Point Protocol (PPP) to provide security and authentication to users of remote
resources.You will recall that PPP replaced the older Serial Line Internet Protocol
(SLIP). PPP not only allows for more security than SLIP, but also does not require
static addressing to be defined for communication. PPP allows users to use dynamic
addressing and multiple protocols during communication with a remote host.
CHAP is described in RFC 1994, available at www.ietf.org/rfc/rfc1994.txt
?number=1994.The RFC describes a process of authentication that works in the
following manner:
www.syngress.com
