SlideShare a Scribd company logo

Kerberos at Penn (MIT Kerberos Consortium)

Shumon Huque
Shumon Huque

Kerberos at Penn; Shumon Huque; MIT Kerberos Consortium meeting; October 2010

Technology
1 of 12
Download to read offline
• Shumon Huque, University of Pennsylvania • Dennis Taylor, NASA • Matt Selsky, Columbia University • Dominic Hargreaves, Oxford University Panel Kerberos in the Knowledge Enterprise 1
Kerberos at Penn Shumon Huque University of Pennsylvania Kerberos Conference, October 27th 2010 Massachusetts Institute of Technology Cambridge, Massachusetts, USA 2
Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT University of Pennsylvania • Founded 1740, Philadelphia, PA • 24,000 students, 4,000 faculty, 12,000 staff • 50,000 IP addresses in use • Some central and many decentralized IT units 3
Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Kerberos Deployment • Initial deployment: 2000 through 2002 • Replaced legacy homegrown system • Campus-wide KDCs: MIT Kerberos 1.5.x • (Some) departmental windows servers do (1-way) cross realm authentication • Custom IDM/account management tools 4
Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Native Kerberos vs. PasswordVerification • We’ve spent a significant amount of time and energy trying to influence large scale use of native Kerberos authentication. • Some successes but numerous failures. It’s difficult to do this in an environment of heteregenous, unmanaged computers. • A number of application protocols (and their popular implementations) still don’t have good support for Kerberos. 5
Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Intermediate systems • RADIUS • primarily to support EAP-TTLS-PAP • Web Single-SignOn: CoSign (UMich) • Federation: Shibboleth (via CoSign) • Authenticated LDAP • This is for authenticated access to our online directory.We strongly discourage using this for application authentication. 6
Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Kerberos for the Web • Made several attempts in this area over the years, but has not gained (much) traction • SPNEGO/HTTP Negotiate (+ SSL for channel protection) • KX.509 (from Univ of Michigan) - Kerberos to short term X.509 credentials • Need: widespread support and adoption; official IETF standards 7
Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Multi-factor • Investigated and piloted (no production): • CRYPTOcard • RSA SecurID • Integration options: • Kerberos pre-authentication step • 2nd input to web SSO systems 8
Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Authorization systems • Kerberos: authentication only • Applications need to consult separate authz infrastructure (ours is based on the Internet2 Grouper system) • Many windows systems also use their usual methods (Authz data/PAC etc) for additional local policies 9
Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Near term enhancements • Upgrade to recent version of MIT code • Adapt local changes to plug-in framework • Test FAST (protect AS exch from offline dict attack) • Incremental propagation • LDAP back-end & multi-master (investigation) • Migration -> stronger encryption types 10
Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Wants, hopes, desires? • (Better) Native Kerberos for HTTP • EAP method (wireless/802.1x authn) • IPsec (does anyone use/implement KINK, GSS-IKE etc?) • VoIP (SIP etc) • Kerberos on mobile devices • Multi-factor 11
Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Questions? Shumon Huque shuque@upenn.edu 12

Recommended

Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
Kerberos part 2
Kerberos part 2Kerberos part 2
Kerberos part 2Spencer Harbar
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
kerberos
kerberoskerberos
kerberossameer farooq
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication ProtocolBibek Subedi
 

Recommended

Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
Kerberos part 2
Kerberos part 2Kerberos part 2
Kerberos part 2Spencer Harbar
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
kerberos
kerberoskerberos
kerberossameer farooq
 
Kerberos Authentication Protocol
Kerberos Authentication ProtocolKerberos Authentication Protocol
Kerberos Authentication ProtocolBibek Subedi
 
Authorization at Penn
Authorization at PennAuthorization at Penn
Authorization at PennShumon Huque
 
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...bdemchak
 
Network research
Network researchNetwork research
Network researchJisc
 
OpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewOpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewThang Man
 
Container Networking Challenges for Production Readiness
Container Networking Challenges for Production ReadinessContainer Networking Challenges for Production Readiness
Container Networking Challenges for Production ReadinessVipin Jain
 
Production Challenges for Container Networking
Production Challenges for Container NetworkingProduction Challenges for Container Networking
Production Challenges for Container NetworkingVipin Jain
 
Supporting Research through "Desktop as a Service" models of e-infrastructure...
Supporting Research through "Desktop as a Service" models of e-infrastructure...Supporting Research through "Desktop as a Service" models of e-infrastructure...
Supporting Research through "Desktop as a Service" models of e-infrastructure...David Wallom
 
The Future of Semantics on the Web
The Future of Semantics on the WebThe Future of Semantics on the Web
The Future of Semantics on the WebJohn Domingue
 
Alma, the Cloud & the Evolution of the Library Systems Department - Kevin Kidd
Alma, the Cloud & the Evolution of the Library Systems Department - Kevin KiddAlma, the Cloud & the Evolution of the Library Systems Department - Kevin Kidd
Alma, the Cloud & the Evolution of the Library Systems Department - Kevin KiddKevin Kidd
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
DDS tutorial with connector
DDS tutorial with connectorDDS tutorial with connector
DDS tutorial with connectorJavier Povedano
 
Introduction to Globus - XSEDE14 Tutorial
Introduction to Globus - XSEDE14 TutorialIntroduction to Globus - XSEDE14 Tutorial
Introduction to Globus - XSEDE14 TutorialGlobus
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
Schwartz ez proxy-logs
Schwartz ez proxy-logsSchwartz ez proxy-logs
Schwartz ez proxy-logsENUG
 
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfAdvanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfInfosec train
 
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentAdvanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentpriyanshamadhwal2
 
Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...
Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...
Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...Ray Schwartz
 
2006 bio it web services
2006 bio it web services2006 bio it web services
2006 bio it web servicesChris Dwan
 
Bharath Venkatesh Resume
Bharath Venkatesh ResumeBharath Venkatesh Resume
Bharath Venkatesh ResumeBharath Venkatesh
 
DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSShumon Huque
 
Client Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsClient Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsShumon Huque
 

More Related Content

Similar to Kerberos at Penn (MIT Kerberos Consortium)

Authorization at Penn
Authorization at PennAuthorization at Penn
Authorization at PennShumon Huque
 
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...bdemchak
 
Network research
Network researchNetwork research
Network researchJisc
 
OpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewOpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewThang Man
 
Container Networking Challenges for Production Readiness
Container Networking Challenges for Production ReadinessContainer Networking Challenges for Production Readiness
Container Networking Challenges for Production ReadinessVipin Jain
 
Production Challenges for Container Networking
Production Challenges for Container NetworkingProduction Challenges for Container Networking
Production Challenges for Container NetworkingVipin Jain
 
Supporting Research through "Desktop as a Service" models of e-infrastructure...
Supporting Research through "Desktop as a Service" models of e-infrastructure...Supporting Research through "Desktop as a Service" models of e-infrastructure...
Supporting Research through "Desktop as a Service" models of e-infrastructure...David Wallom
 
The Future of Semantics on the Web
The Future of Semantics on the WebThe Future of Semantics on the Web
The Future of Semantics on the WebJohn Domingue
 
Alma, the Cloud & the Evolution of the Library Systems Department - Kevin Kidd
Alma, the Cloud & the Evolution of the Library Systems Department - Kevin KiddAlma, the Cloud & the Evolution of the Library Systems Department - Kevin Kidd
Alma, the Cloud & the Evolution of the Library Systems Department - Kevin KiddKevin Kidd
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 
DDS tutorial with connector
DDS tutorial with connectorDDS tutorial with connector
DDS tutorial with connectorJavier Povedano
 
Introduction to Globus - XSEDE14 Tutorial
Introduction to Globus - XSEDE14 TutorialIntroduction to Globus - XSEDE14 Tutorial
Introduction to Globus - XSEDE14 TutorialGlobus
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
Schwartz ez proxy-logs
Schwartz ez proxy-logsSchwartz ez proxy-logs
Schwartz ez proxy-logsENUG
 
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfAdvanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfInfosec train
 
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentAdvanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentpriyanshamadhwal2
 
Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...
Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...
Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...Ray Schwartz
 
2006 bio it web services
2006 bio it web services2006 bio it web services
2006 bio it web servicesChris Dwan
 

Similar to Kerberos at Penn (MIT Kerberos Consortium) (20)

Authorization at Penn
Authorization at PennAuthorization at Penn
Authorization at Penn
 
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...
 
Network research
Network researchNetwork research
Network research
 
OpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewOpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical Overview
 
Container Networking Challenges for Production Readiness
Container Networking Challenges for Production ReadinessContainer Networking Challenges for Production Readiness
Container Networking Challenges for Production Readiness
 
Production Challenges for Container Networking
Production Challenges for Container NetworkingProduction Challenges for Container Networking
Production Challenges for Container Networking
 
Supporting Research through "Desktop as a Service" models of e-infrastructure...
Supporting Research through "Desktop as a Service" models of e-infrastructure...Supporting Research through "Desktop as a Service" models of e-infrastructure...
Supporting Research through "Desktop as a Service" models of e-infrastructure...
 
The Future of Semantics on the Web
The Future of Semantics on the WebThe Future of Semantics on the Web
The Future of Semantics on the Web
 
Alma, the Cloud & the Evolution of the Library Systems Department - Kevin Kidd
Alma, the Cloud & the Evolution of the Library Systems Department - Kevin KiddAlma, the Cloud & the Evolution of the Library Systems Department - Kevin Kidd
Alma, the Cloud & the Evolution of the Library Systems Department - Kevin Kidd
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 
DDS tutorial with connector
DDS tutorial with connectorDDS tutorial with connector
DDS tutorial with connector
 
Introduction to Globus - XSEDE14 Tutorial
Introduction to Globus - XSEDE14 TutorialIntroduction to Globus - XSEDE14 Tutorial
Introduction to Globus - XSEDE14 Tutorial
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating Applications
 
Schwartz ez proxy-logs
Schwartz ez proxy-logsSchwartz ez proxy-logs
Schwartz ez proxy-logs
 
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdfAdvanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf
 
Advanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_contentAdvanced-Penetration-Testing_course_content
Advanced-Penetration-Testing_course_content
 
Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...
Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...
Application of EZProxy logs, Voyager’s Patron Database, MySQL, and ColdFusion...
 
2006 bio it web services
2006 bio it web services2006 bio it web services
2006 bio it web services
 
Bharath Venkatesh Resume
Bharath Venkatesh ResumeBharath Venkatesh Resume
Bharath Venkatesh Resume
 

More from Shumon Huque

DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSShumon Huque
 
Client Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsClient Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsShumon Huque
 
Query-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server BehaviorQuery-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server BehaviorShumon Huque
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Hands-on getdns Tutorial
Hands-on getdns TutorialHands-on getdns Tutorial
Hands-on getdns TutorialShumon Huque
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013Shumon Huque
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
IPv6 Transition in Research & Education
IPv6 Transition in Research & EducationIPv6 Transition in Research & Education
IPv6 Transition in Research & EducationShumon Huque
 
IPv6 Deployment Panel
IPv6 Deployment PanelIPv6 Deployment Panel
IPv6 Deployment PanelShumon Huque
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityShumon Huque
 
World IPv6 Launch at Penn
World IPv6 Launch at PennWorld IPv6 Launch at Penn
World IPv6 Launch at PennShumon Huque
 
IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)Shumon Huque
 
Open Source VoIP at Penn
Open Source VoIP at PennOpen Source VoIP at Penn
Open Source VoIP at PennShumon Huque
 
.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons Learned.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons LearnedShumon Huque
 
IPv6 Campus Deployment Panel
IPv6 Campus Deployment PanelIPv6 Campus Deployment Panel
IPv6 Campus Deployment PanelShumon Huque
 
.EDU DNSSEC Testbed
.EDU DNSSEC Testbed.EDU DNSSEC Testbed
.EDU DNSSEC TestbedShumon Huque
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC PilotShumon Huque
 

More from Shumon Huque (20)

DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLS
 
Client Certificates in DANE TLSA Records
Client Certificates in DANE TLSA RecordsClient Certificates in DANE TLSA Records
Client Certificates in DANE TLSA Records
 
Query-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server BehaviorQuery-name Minimization and Authoritative Server Behavior
Query-name Minimization and Authoritative Server Behavior
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Hands-on getdns Tutorial
Hands-on getdns TutorialHands-on getdns Tutorial
Hands-on getdns Tutorial
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013IPv6 Tutorial; USENIX LISA 2013
IPv6 Tutorial; USENIX LISA 2013
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
IPv6 Transition in Research & Education
IPv6 Transition in Research & EducationIPv6 Transition in Research & Education
IPv6 Transition in Research & Education
 
IPv6 Deployment Panel
IPv6 Deployment PanelIPv6 Deployment Panel
IPv6 Deployment Panel
 
A survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E CommunityA survey of DNSSEC Deployment in the US R&E Community
A survey of DNSSEC Deployment in the US R&E Community
 
World IPv6 Launch at Penn
World IPv6 Launch at PennWorld IPv6 Launch at Penn
World IPv6 Launch at Penn
 
IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)IPv6 Security Panel (U of Penn)
IPv6 Security Panel (U of Penn)
 
Open Source VoIP at Penn
Open Source VoIP at PennOpen Source VoIP at Penn
Open Source VoIP at Penn
 
.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons Learned.EDU DNSSEC Testbed - Lessons Learned
.EDU DNSSEC Testbed - Lessons Learned
 
IPv6 Campus Deployment Panel
IPv6 Campus Deployment PanelIPv6 Campus Deployment Panel
IPv6 Campus Deployment Panel
 
.EDU DNSSEC Testbed
.EDU DNSSEC Testbed.EDU DNSSEC Testbed
.EDU DNSSEC Testbed
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at Penn
 
PennNet and MAGPI
PennNet and MAGPIPennNet and MAGPI
PennNet and MAGPI
 
Internet2 DNSSEC Pilot
Internet2 DNSSEC PilotInternet2 DNSSEC Pilot
Internet2 DNSSEC Pilot
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Kerberos at Penn (MIT Kerberos Consortium)

  • 1. • Shumon Huque, University of Pennsylvania • Dennis Taylor, NASA • Matt Selsky, Columbia University • Dominic Hargreaves, Oxford University Panel Kerberos in the Knowledge Enterprise 1
  • 2. Kerberos at Penn Shumon Huque University of Pennsylvania Kerberos Conference, October 27th 2010 Massachusetts Institute of Technology Cambridge, Massachusetts, USA 2
  • 3. Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT University of Pennsylvania • Founded 1740, Philadelphia, PA • 24,000 students, 4,000 faculty, 12,000 staff • 50,000 IP addresses in use • Some central and many decentralized IT units 3
  • 4. Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Kerberos Deployment • Initial deployment: 2000 through 2002 • Replaced legacy homegrown system • Campus-wide KDCs: MIT Kerberos 1.5.x • (Some) departmental windows servers do (1-way) cross realm authentication • Custom IDM/account management tools 4
  • 5. Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Native Kerberos vs. PasswordVerification • We’ve spent a significant amount of time and energy trying to influence large scale use of native Kerberos authentication. • Some successes but numerous failures. It’s difficult to do this in an environment of heteregenous, unmanaged computers. • A number of application protocols (and their popular implementations) still don’t have good support for Kerberos. 5
  • 6. Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Intermediate systems • RADIUS • primarily to support EAP-TTLS-PAP • Web Single-SignOn: CoSign (UMich) • Federation: Shibboleth (via CoSign) • Authenticated LDAP • This is for authenticated access to our online directory.We strongly discourage using this for application authentication. 6
  • 7. Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Kerberos for the Web • Made several attempts in this area over the years, but has not gained (much) traction • SPNEGO/HTTP Negotiate (+ SSL for channel protection) • KX.509 (from Univ of Michigan) - Kerberos to short term X.509 credentials • Need: widespread support and adoption; official IETF standards 7
  • 8. Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Multi-factor • Investigated and piloted (no production): • CRYPTOcard • RSA SecurID • Integration options: • Kerberos pre-authentication step • 2nd input to web SSO systems 8
  • 9. Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Authorization systems • Kerberos: authentication only • Applications need to consult separate authz infrastructure (ours is based on the Internet2 Grouper system) • Many windows systems also use their usual methods (Authz data/PAC etc) for additional local policies 9
  • 10. Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Near term enhancements • Upgrade to recent version of MIT code • Adapt local changes to plug-in framework • Test FAST (protect AS exch from offline dict attack) • Incremental propagation • LDAP back-end & multi-master (investigation) • Migration -> stronger encryption types 10
  • 11. Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Wants, hopes, desires? • (Better) Native Kerberos for HTTP • EAP method (wireless/802.1x authn) • IPsec (does anyone use/implement KINK, GSS-IKE etc?) • VoIP (SIP etc) • Kerberos on mobile devices • Multi-factor 11
  • 12. Kerberos at Penn, October 27th 2010, Kerberos Conference, MIT Questions? Shumon Huque shuque@upenn.edu 12