The Role of Kerberos in Identity Mgmt

1,760 views
1,633 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,760
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
72
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

The Role of Kerberos in Identity Mgmt

  1. 1. The Role of Kerberos in Identity Management Thomas Hardjono MIT Kerberos Consortium ISSA New England 26 January, 2010 www.kerberos.org © 2007-2010 The MIT Kerberos Consortium. All Rights Reserved.
  2. 2. Introductions & Background • Kerberos v5 (RFC 4210) • MIT Kerberos Consortium • Release 1.7 & 1.8 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  3. 3. A Brief History of Kerberos  Kerberos was developed as the Authentication engine for MIT’s Project Athena in 1983, became IETF standard in 1993  MIT’s release of Kerberos as open source in 1987 led to rapid adoption by numerous organizations  Kerberos now ships standard with all major operating systems  Apple, Red Hat, Microsoft, Sun, Ubuntu  Serves tens of millions of enterprise end users users at large organizations.  Microsoft has been using Kerberos as the default authentication package since Windows 2000”  Kerberos has been hugely successful © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  4. 4. Kerberos V5 Overview © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  5. 5. Kerberos Consortium: Goals • Provide leadership to the world community • Establish Kerberos as a universal authentication mechanism. • Make Kerberos appropriate for new environments. • Enable Kerberos across a plethora of endpoints. • Help developers integrate Kerberos. © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  6. 6. Kerberos Consortium Apple MIT Carnegie Mellon PistolStar Centrify Corporation Michigan State Cornell NASA The United States Pennsylvania State Department of Defense Stanford Duke University Sun Microsystems Red Hat TeamF1, Inc. Iowa State Google Microsoft University of Michigan © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  7. 7. Kerberos Rel 1.7 – June 2009 • Incremental propagation support • Removal of krb4 code • Kerberos Identity Management (KIM) API • Improved master key rollover / service key rollover • Enhanced error messages for GSS-API • Cross-platform CCAPI Windows • Collision avoidance for replay cache • FAST (pre-authentication) • Implement MS protocol extensions • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  8. 8. Kerberos Rel 1.8 – March 2010 • Test-driven coding environment & code quality • Crypto modularity (cf. FIPS-140) • Improved API for authorization data • Support for service principal referrals • Disable single-DES by default • Improved enctype configuration • Lockout for repeated login failures • Trace logging for easier troubleshooting • FAST negotiation for ease of migration • Anonymous PKINIT - easier host key establish. • Services4User (S4U) enhancements in GSSAPI • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  9. 9. Kerberos Today • Enterprise,B2B, B2C • Kerberos & Identity Infrastructure © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  10. 10. Intra-Enterprise Kerberos • Large presence of Kerberos in Enterprise space – AD, “AD-Clones”, MIT code base, Sun, Intel AMT • Desire to re-use Kerberos infra for web security – Increase security of web logins • Address authentication in Web-SSO – Simplification of security management • Require Kerberos integration into web systems – Web-services typically already a separate infrastructure – Kerberos administration must also be integrated into web systems – Unified management of infrastructures © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  11. 11. Kerberos for B2C & B2E Security • Forms/SSL primary authentication method: – Passwords, HTML Forms, no client certs – HTTP-Negotiate underutilized • Limitations to current version of HTTP-Nego/SPNEGO • B2E Web-SSO needs strong access control: – Intra-network services& business access only • Locally-scoped identities – HTTP-Negotiate deployed in many Enterprises • B2C Web-SSO a harder problem: – Need standard interfaces – Part of Identity Management problem – HTTP-Negotiate limitations (today) © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  12. 12. Kerberos Support in Web Browsers SPNEGO RFC4559 & RFC4178 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  13. 13. Identity Management • Common architecture in Liberty/SAML2.0 and OpenID • Authentication in Identity Systems © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  14. 14. Identity Management Today • Multiple proposals in the industry: – SAML2.0 (Liberty Alliance) – OpenID – CardSpace/InfoCard – Shibboleth 1.3 (in higher education) • Basic architecture are similar – Service Provider, Identity Provider, Client – Mostly neutral to authentication method used – Assumes password/forms as basic auth method • Issues/factors (lots): – Complexity of backend architecture – Credentials management – Enterprise vs. Consumer market (business case) – Federation & Trust – Lack of large-scale IdP as a trusted third party © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  15. 15. Basic Id Management Architecture © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  16. 16. Kerberos Authentication in SAML2.0 Systems • Interoperability with SAML • Web back-end security • Related work © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  17. 17. SAML2.0 Kerberos Web-Browser SSO • Kerberos Web Browser SSO Profile – Aim: Kerberos authentication within SAML2.0 systems & infrastructure – Draft specification in OASIS • Builds on existing SAML2.0 Web-SSO profile – Assumes User Agent is a Browser with HTTP • Uses HTTP-Negotiate/SPNEGO for authentication – Uses SAML Subject Confirmation method: • IdP issues SAML Assertions • Confirms the SAML attesting entity using Kerberos • Client must prove possession of Kerberos key © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  18. 18. Summary of SAML2.0 Web browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  19. 19. SAML2.0 Kerberos Web-Browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  20. 20. Kerberos Web Browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  21. 21. Other Related Work • TLS support for Kerberos (desirable): • Extend Pre-Shared Key cipher-suites for TLS • TLS key established using Kerberos mechanism exposed as a generic security service via GSS-API • Future effort • Other SAML related work at the MIT-KC: • Kerberos interoperability in WS-Federation systems • Oasis WS-Federation architecture • Kerberos to secure back-end web infrastructure • MIT-KC Whitepaper: • Towards Kerberizing Web Identity and Services http://www.kerberos.org/software/kerbweb.pdf © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  22. 22. Thank You & Questions © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  23. 23. Contact Information The MIT Kerberos Consortium 77 Massachusetts Avenue W92-152 Cambridge, MA 02139 USA Tel: 617.715.2451 Fax: 617.258.3976 Thomas Hardjono Lead Technologist & Strategic Advisor Web: www.kerberos.org MIT Kerberos Consortium Lead Technologist & Strategic Advisor Thomas Hardjono(hardjono@mit.edu) Mobile: +1 781-729-9559 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010

×