SESAME

LATEST POSTINFOSEC BASICS

1/27/20253 min read

SESAME is a network authentication and security protocol developed as a successor to Kerberos, addressing many of its limitations. Designed to operate in heterogeneous, multi-vendor environments, SESAME combines Kerberos’ strengths with advanced features such as Public Key Infrastructure (PKI), fine-grained access control, and enhanced flexibility for distributed systems.

Key Features of SESAME

  1. Integration of Public Key Cryptography:

    • Unlike Kerberos, which relies heavily on symmetric cryptography, SESAME incorporates public key infrastructure (PKI) for authentication. This provides:

      • Stronger security.

      • The ability to operate in environments where symmetric keys are harder to manage.

  2. Enhanced Privilege Management:

    • SESAME introduces Privilege Attribute Certificates (PACs), which are used to define user roles and permissions.

    • PACs are digitally signed and can include detailed information about access rights, providing a more flexible and granular access control mechanism.

  3. Delegation of Authority:

    • SESAME supports delegation of authority, allowing users or systems to delegate their access rights to others in a controlled and secure manner. This is especially useful in workflows requiring collaboration or automation.

  4. Mutual Authentication:

    • SESAME enforces mutual authentication, ensuring that both the client and the server verify each other’s identities before proceeding. This mitigates the risk of man-in-the-middle attacks.

  5. Support for Multi-Vendor Environments:

    • SESAME is explicitly designed to work in heterogeneous networks, where devices and systems from different vendors coexist. This makes it more adaptable than Kerberos for large enterprises and international organizations.

SESAME Architecture

SESAME retains the basic architecture of Kerberos but introduces additional components to enhance functionality. Below are the primary components:

  1. Authentication Server (AS):

    • Handles the initial authentication of the client and issues a Secure Ticket containing the client’s identity and public key information.

  2. Privilege Attribute Certificate Server (PACS):

    • Responsible for creating and managing Privilege Attribute Certificates (PACs), which specify the client’s roles and access permissions.

  3. Ticket-Granting Server (TGS):

    • Issues service-specific Secure Tickets after verifying the client’s PAC and initial ticket.

  4. Client:

    • The user or application requesting access to network resources. The client uses PKI-based credentials to authenticate itself to the SESAME servers.

  5. Service Server (SS):

    • The server hosting the requested resource or service. It evaluates the client’s PAC and ticket before granting or denying access.

SESAME Authentication Workflow

SESAME’s authentication process builds upon the Kerberos model but includes several key enhancements. Below is the detailed step-by-step workflow:

1. Initial Authentication

  • The client sends an authentication request to the Authentication Server (AS), including its public key.

  • The AS verifies the client’s identity using its public key certificate. If successful, the AS issues:

    • A Secure Ticket, containing the client’s identity, public key, and session key, encrypted with the client’s private key.

    • A session key for secure communication between the client and the Ticket-Granting Server (TGS).

2. Privilege Attribute Certificate (PAC) Assignment

  • The client forwards the Secure Ticket to the Privilege Attribute Certificate Server (PACS).

  • The PACS evaluates the client’s identity and retrieves the corresponding privileges and roles from its database.

  • A PAC is created, digitally signed, and sent back to the client.

3. Requesting a Service Ticket

  • The client uses the PAC and Secure Ticket to request a Service Ticket from the TGS.

  • The TGS validates the PAC and Secure Ticket, ensuring the client’s roles and privileges are valid.

  • If the validation is successful, the TGS issues a Service Ticket specific to the requested service.

4. Accessing the Service

  • The client presents the Service Ticket and PAC to the Service Server (SS).

  • The SS verifies both the Service Ticket and PAC to determine if the client has the necessary permissions.

  • If the verification is successful, the client is granted access to the requested resource

Technical Enhancements in SESAME

  1. Public Key Infrastructure (PKI):

    • PKI replaces Kerberos’ symmetric key model for authentication, providing:

      • Scalability in managing keys across large, distributed systems.

      • Resistance to certain cryptographic attacks (e.g., brute force).

      • Better support for environments with multiple organizations or vendors.

  2. Privilege Attribute Certificates (PACs):

    • PACs enhance access control by including detailed information about:

      • User identity.

      • Assigned roles and permissions.

      • Validity period and expiration times.

    • PACs are digitally signed to ensure integrity and prevent tampering.

  3. Delegation of Authority:

    • SESAME allows for controlled delegation by attaching delegation attributes to PACs. This enables workflows where one user or process can temporarily perform tasks on behalf of another.

  4. Multi-Vendor Interoperability:

    • SESAME’s modular design and use of standard protocols (e.g., X.509 for PKI) make it compatible with systems from different vendors.

Limitations of SESAME

  1. Complexity:

    • SESAME’s reliance on PKI and PACs introduces additional complexity in deployment and management.

  2. Performance Overhead:

    • The use of public key cryptography can be computationally expensive, particularly during the initial authentication phase.

  3. Dependency on Time Synchronization:

    • Similar to Kerberos, SESAME requires tightly synchronized clocks between clients, servers, and PAC servers to prevent replay attacks.

  4. Adoption and Compatibility:

    • Despite its advanced features, SESAME has not seen widespread adoption, primarily due to the global dominance of Kerberos and the complexity of SESAME’s setup.

Use Cases for SESAME

  1. Heterogeneous Networks:

    • Large enterprises with diverse systems and multiple vendors benefit from SESAME’s interoperability and PKI support.

  2. Role-Based Access Control:

    • Organizations requiring fine-grained access control based on user roles and permissions can leverage PACs for better control.

  3. Delegation Workflows:

    • Scenarios involving delegation of authority, such as cloud computing and multi-organization collaborations, are well-suited for SESAME.

CONTACT

contact@f4tm4n.com

About me

Frameworks

Experiences from People

Stories from Professionals

My Exam Strategies