Protocol benchmarking / auditing inquiry

Brent Kimberley Brent.Kimberley at Durham.ca
Wed Feb 14 15:07:35 EST 2024


To the best of my knowledge" Krb5i provides integrity whereas Krb5p provides confidentiality, integrity, and replay protection.

"Walk tool" finding could map to a radar chart.

In other news, Matthew Palko plans to modernize authentication.
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848


-----Original Message-----
From: Brent Kimberley
Sent: Wednesday, February 14, 2024 2:20 PM
To: Christopher D. Clausen <cclausen at acm.org>; kerberos at mit.edu
Subject: RE: Protocol benchmarking / auditing inquiry

Hi Christopher.

Yes.  You are correct.  Peer reviewed installation readiness documents like the CIS MIT benchmark are a good "first step."

I was asking pointers to the rest of the lifecycle suite - specifically "walk".

Crawl
=====
Installation readiness documents
        e.g., CIS MIT Kerberos Benchmark

Walk
====
Focused applications.

Application which can connect to a client or a server and emit:
        Enabled ciphers.
        Enabled MACs.
        Enabled Kerberos modes (krb5, krb5i, krb5p)
        etc.

Background: most sites appear to be misconfigured.

Run
====
A focused service.


-----Original Message-----
From: Christopher D. Clausen <cclausen at acm.org>
Sent: Wednesday, February 14, 2024 2:10 PM
To: Brent Kimberley <Brent.Kimberley at Durham.ca>; kerberos at mit.edu
Subject: Re: Protocol benchmarking / auditing inquiry

[You don't often get email from cclausen at acm.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<<CDC

On 2/14/2024 11:46 AM, Brent Kimberley via Kerberos wrote:
> Preferably something smaller and more focused than nmap or OpenSCAP. 😉

> >
> From: Brent Kimberley
> Sent: Wednesday, February 14, 2024 12:44 PM
> To: kerberos at mit.edu
> Subject: Protocol benchmarking / auditing inquiry
>
> Hi.
> Can anyone point me to some methods to benchmark and/or audit Kerberos v5?
>
> For example, SSH:
>                 Manual
>                                Read the RFCs and specs.
>                Semi-automatic.
>                                jtesta/ssh-audit: SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) (github.com)<https://github.com/jtesta/ssh-audit/>
>                 Automatic
>                                SSH Configuration Auditor
> (ssh-audit.com)<http://ht/
> tps%3A%2F%2Fwww.ssh-audit.com%2F&data=05%7C02%7CBrent.Kimberley%40Durh
> am.ca%7C8eddde16708448e6cdb008dc2d907d49%7C52d7c9c2d54941b69b1f9da198d
> c3f16%7C0%7C0%7C638435345797172606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s
> data=ydwY2y5%2FxuZxJavbNQw877yOmuFuVo3DktJr%2FdFA05A%3D&reserved=0>
>
>
> TLS example upon request.

THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.



More information about the Kerberos mailing list