I was wondering if anyone is using Kerberos for their 2FA solution into their CDE for PCI DSS compliance. Also, what does PCI DSS say about SSO once 2FA has occurred through a Radius Server?
Asked
Active
Viewed 2,151 times
2 Answers
3
(2FA = Two Factor Authentication, for those just tuning in)
I was wondering if anyone is using Kerberos for their 2FA solution into their CDE for PCI DSS compliance.
Kerberos is an authentication mechanism most commonly used to grant access based on password credentials. As such, it doesn't provide 2FA; it provides 1FA. I have seen Kerberos used as a 1FA in CDE environments.
There are 2FA systems which incorporate Kerberos, such as RedHat's Identity Management server, but in those cases Kerberos is used for "something you know" and glued to "something you have" (Software or Hardware OTP) using LDAP and possibly RADIUS. And MIT appears to have integrated Duo OTP more directly with Kerberos, at some cost of client support.
So - Kerberos may be part of a valid 2FA solution for your CDE, but in general it only provides one factor, so additional lifting is required.
Also what does PCI DSS say about SSO once 2FA has occured through Radius Server.
The DSS does not address Single Sign-On per se, however, it does state:
Multi-factor authentication can be performed either upon authentication to the particular network or to the system component.
(DSS 3.2 section 8.3)
I'm not a QSA, but I think one could make a legitimate case that that language could be used to argue that 2FA is not required upon each system component sign-on, as long as it's used for the initial login to the CDE network. Which is to say that the DSS does not appear to prohibit SSO when it requires 2FA.
gowenfawr
- 71,975
- 17
- 161
- 198
-
Hey thanks SO much for the quick reply. :) That really helps. I forgot to mention that we are looking at using Google Authenticator for the 2FA piece, then they were going to use kerberos to generate the one time token for SSO. – Scott Sep 13 '16 at 17:53
-
I think - minor distinction - what you mean is that you're going to leverage Kerberos tickets to provide SSO to resouirces in the Kerberos realm once you've fully authenticated, which includes Google Authenticator as a 2nd factor. In your language there's a confusion between tickets, which can be presented to effect SSO, and tokens. – gowenfawr Sep 13 '16 at 18:22
-
I am wondering about your understanding of 2FA. Kerberos as a protocol supports many kind of 2FA like PKINI/RFC4556 with smartcards and also OTP/RFC6560 (which in may opinion is of no use). Of course in the end you get a TGT, which is one factor. But you could boil down every auth process to one factor. Yes, Kerberos supports 2FA. And as far as MIT Kerberos is concerned. Stop promoting this DUO crap. MIT has a RADIUS interface, which can be used to connect **ANY** 2FA system. – cornelinux Sep 14 '16 at 19:45
-
I am wondering if the writers of PCI DSS have in mind, to require 2FA but allow an **external** authentication instance like DUO. – cornelinux Sep 14 '16 at 19:48
-
@cornelinux, your grasp of keywords is far better than mine - I look forward to seeing your answer to the question. – gowenfawr Sep 14 '16 at 22:24
0
SSO is a moot point, for example are you concerned that a single computer allows you to run different programs without authenticating each time. Your enterprise computer environment is a single system which is required to only allow access to Authenticated and Authorised users using 2FA.
In short, Kerberos is a protocol that supports single and multifactor authentication. You can implement a policy on your Key Distribution Center (KDC) to allow one, two or multifactor authentication.
Microsoft implemented a Kerberos based authentication service, and as is their way they supported some of the Kerberos protocol's capabilities, but not all. Your ability to implement policy is dictated by your choice of implementation and the policies available on your choice of KDC.
For example, using kerberos you can require that some services require 2 factor auth and can only be accessed using an initial ticket. ie forcing more frequent proof of identity for high value systems.
However, rather than trusting me go to the source. The protocol definition is not complex: https://www.rfc-editor.org/rfc/rfc4120
The following extract from another Kerberos RFC is enlightening. https://www.rfc-editor.org/rfc/rfc8129
Kerberos [RFC4120] allows secure interaction among users and services over a network. It supports a variety of authentication mechanisms using its pre-authentication framework [RFC6113]. The Kerberos authentication service has been architected to support password-based authentication as well as multi-factor authentication using one-time password devices, public-key cryptography, and other pre-authentication schemes. Implementations that offer pre-authentication mechanisms supporting significantly different strengths of client authentication may choose to keep track of the strength of the authentication that was used, for use as an input into policy decisions.
