SlideShare a Scribd company logo

The Role of Kerberos in Identity Mgmt

ISACA New England
ISACA New England

The document is a presentation about Kerberos and identity management given by Thomas Hardjono of the MIT Kerberos Consortium. It provides an overview of Kerberos' history and role in authentication, describes the Kerberos protocol, and discusses how Kerberos can be used for identity management including in SAML single sign-on systems on the web.

Technology
1 of 23
Download to read offline
The Role of Kerberos in Identity Management Thomas Hardjono MIT Kerberos Consortium ISSA New England 26 January, 2010 www.kerberos.org © 2007-2010 The MIT Kerberos Consortium. All Rights Reserved.
Introductions & Background • Kerberos v5 (RFC 4210) • MIT Kerberos Consortium • Release 1.7 & 1.8 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
A Brief History of Kerberos  Kerberos was developed as the Authentication engine for MIT’s Project Athena in 1983, became IETF standard in 1993  MIT’s release of Kerberos as open source in 1987 led to rapid adoption by numerous organizations  Kerberos now ships standard with all major operating systems  Apple, Red Hat, Microsoft, Sun, Ubuntu  Serves tens of millions of enterprise end users users at large organizations.  Microsoft has been using Kerberos as the default authentication package since Windows 2000”  Kerberos has been hugely successful © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos V5 Overview © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Consortium: Goals • Provide leadership to the world community • Establish Kerberos as a universal authentication mechanism. • Make Kerberos appropriate for new environments. • Enable Kerberos across a plethora of endpoints. • Help developers integrate Kerberos. © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Consortium Apple MIT Carnegie Mellon PistolStar Centrify Corporation Michigan State Cornell NASA The United States Pennsylvania State Department of Defense Stanford Duke University Sun Microsystems Red Hat TeamF1, Inc. Iowa State Google Microsoft University of Michigan © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Rel 1.7 – June 2009 • Incremental propagation support • Removal of krb4 code • Kerberos Identity Management (KIM) API • Improved master key rollover / service key rollover • Enhanced error messages for GSS-API • Cross-platform CCAPI Windows • Collision avoidance for replay cache • FAST (pre-authentication) • Implement MS protocol extensions • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Rel 1.8 – March 2010 • Test-driven coding environment & code quality • Crypto modularity (cf. FIPS-140) • Improved API for authorization data • Support for service principal referrals • Disable single-DES by default • Improved enctype configuration • Lockout for repeated login failures • Trace logging for easier troubleshooting • FAST negotiation for ease of migration • Anonymous PKINIT - easier host key establish. • Services4User (S4U) enhancements in GSSAPI • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Today • Enterprise,B2B, B2C • Kerberos & Identity Infrastructure © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Intra-Enterprise Kerberos • Large presence of Kerberos in Enterprise space – AD, “AD-Clones”, MIT code base, Sun, Intel AMT • Desire to re-use Kerberos infra for web security – Increase security of web logins • Address authentication in Web-SSO – Simplification of security management • Require Kerberos integration into web systems – Web-services typically already a separate infrastructure – Kerberos administration must also be integrated into web systems – Unified management of infrastructures © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos for B2C & B2E Security • Forms/SSL primary authentication method: – Passwords, HTML Forms, no client certs – HTTP-Negotiate underutilized • Limitations to current version of HTTP-Nego/SPNEGO • B2E Web-SSO needs strong access control: – Intra-network services& business access only • Locally-scoped identities – HTTP-Negotiate deployed in many Enterprises • B2C Web-SSO a harder problem: – Need standard interfaces – Part of Identity Management problem – HTTP-Negotiate limitations (today) © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Support in Web Browsers SPNEGO RFC4559 & RFC4178 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Identity Management • Common architecture in Liberty/SAML2.0 and OpenID • Authentication in Identity Systems © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Identity Management Today • Multiple proposals in the industry: – SAML2.0 (Liberty Alliance) – OpenID – CardSpace/InfoCard – Shibboleth 1.3 (in higher education) • Basic architecture are similar – Service Provider, Identity Provider, Client – Mostly neutral to authentication method used – Assumes password/forms as basic auth method • Issues/factors (lots): – Complexity of backend architecture – Credentials management – Enterprise vs. Consumer market (business case) – Federation & Trust – Lack of large-scale IdP as a trusted third party © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Basic Id Management Architecture © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Authentication in SAML2.0 Systems • Interoperability with SAML • Web back-end security • Related work © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
SAML2.0 Kerberos Web-Browser SSO • Kerberos Web Browser SSO Profile – Aim: Kerberos authentication within SAML2.0 systems & infrastructure – Draft specification in OASIS • Builds on existing SAML2.0 Web-SSO profile – Assumes User Agent is a Browser with HTTP • Uses HTTP-Negotiate/SPNEGO for authentication – Uses SAML Subject Confirmation method: • IdP issues SAML Assertions • Confirms the SAML attesting entity using Kerberos • Client must prove possession of Kerberos key © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Summary of SAML2.0 Web browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
SAML2.0 Kerberos Web-Browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Web Browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Other Related Work • TLS support for Kerberos (desirable): • Extend Pre-Shared Key cipher-suites for TLS • TLS key established using Kerberos mechanism exposed as a generic security service via GSS-API • Future effort • Other SAML related work at the MIT-KC: • Kerberos interoperability in WS-Federation systems • Oasis WS-Federation architecture • Kerberos to secure back-end web infrastructure • MIT-KC Whitepaper: • Towards Kerberizing Web Identity and Services http://www.kerberos.org/software/kerbweb.pdf © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Thank You & Questions © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Contact Information The MIT Kerberos Consortium 77 Massachusetts Avenue W92-152 Cambridge, MA 02139 USA Tel: 617.715.2451 Fax: 617.258.3976 Thomas Hardjono Lead Technologist & Strategic Advisor Web: www.kerberos.org MIT Kerberos Consortium Lead Technologist & Strategic Advisor Thomas Hardjono(hardjono@mit.edu) Mobile: +1 781-729-9559 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010

Recommended

Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...datacentersummit
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Sumit Gupta
 
Cloud computingjun28
Cloud computingjun28Cloud computingjun28
Cloud computingjun28
Abhishek Thakur
 
Cloud computingjun28
Cloud computingjun28Cloud computingjun28
Cloud computingjun28
korusamol
 
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteMIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteNov Matake
 
Eb07 Day Communiqué Web Content Management En
Eb07 Day Communiqué Web Content Management EnEb07 Day Communiqué Web Content Management En
Eb07 Day Communiqué Web Content Management En
Valtech
 
What's new in Exchange 2013?
What's new in Exchange 2013?What's new in Exchange 2013?
What's new in Exchange 2013?
Microsoft TechNet - Belgium and Luxembourg
 
JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010
David Nuescheler
 

Recommended

Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...datacentersummit
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Sumit Gupta
 
Cloud computingjun28
Cloud computingjun28Cloud computingjun28
Cloud computingjun28
Abhishek Thakur
 
Cloud computingjun28
Cloud computingjun28Cloud computingjun28
Cloud computingjun28
korusamol
 
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteMIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteNov Matake
 
Eb07 Day Communiqué Web Content Management En
Eb07 Day Communiqué Web Content Management EnEb07 Day Communiqué Web Content Management En
Eb07 Day Communiqué Web Content Management En
Valtech
 
What's new in Exchange 2013?
What's new in Exchange 2013?What's new in Exchange 2013?
What's new in Exchange 2013?
Microsoft TechNet - Belgium and Luxembourg
 
JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010
David Nuescheler
 
14 577
14 57714 577
14 577
Chaitanya Ram
 
OpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, CiscoOpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, Cisco
ramdurairaj
 
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew TuckerOpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew Tucker
Lew Tucker
 
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client AccessExchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Microsoft TechNet - Belgium and Luxembourg
 
Antivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizadosAntivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizados
Nextel S.A.
 
Agile Edge Valtech
Agile Edge ValtechAgile Edge Valtech
Agile Edge Valtech
David Nuescheler
 
Web Content Management And Agile
Web Content Management And AgileWeb Content Management And Agile
Web Content Management And Agile
Valtech UK
 
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009
Gerardo Pardo-Castellote
 
Day1 Forrester Cloud Presentation
Day1 Forrester Cloud PresentationDay1 Forrester Cloud Presentation
Day1 Forrester Cloud Presentation
ErwinTheunissen
 
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)
Shumon Huque
 
Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011
IndicThreads
 
利用K8S實現高可靠應用
利用K8S實現高可靠應用利用K8S實現高可靠應用
利用K8S實現高可靠應用
inwin stack
 
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...
Kim Clark
 
Triangle OpenStack Meetup
Triangle OpenStack MeetupTriangle OpenStack Meetup
Triangle OpenStack Meetup
mestery
 
Simplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project ZeroSimplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project Zero
Shawn Zhu
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Ashish Mishra
 
Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus WSO2
 
Deduplication and single instance storage
Deduplication and single instance storageDeduplication and single instance storage
Deduplication and single instance storageInterop
 
Cloud & The Mobile Stack
Cloud & The Mobile StackCloud & The Mobile Stack
Cloud & The Mobile Stack
Subbu Ramanathan
 
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking TalkvBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
mestery
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 

More Related Content

Similar to The Role of Kerberos in Identity Mgmt

14 577
14 57714 577
14 577
Chaitanya Ram
 
OpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, CiscoOpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, Cisco
ramdurairaj
 
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew TuckerOpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew Tucker
Lew Tucker
 
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client AccessExchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Microsoft TechNet - Belgium and Luxembourg
 
Antivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizadosAntivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizados
Nextel S.A.
 
Agile Edge Valtech
Agile Edge ValtechAgile Edge Valtech
Agile Edge Valtech
David Nuescheler
 
Web Content Management And Agile
Web Content Management And AgileWeb Content Management And Agile
Web Content Management And Agile
Valtech UK
 
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009
Gerardo Pardo-Castellote
 
Day1 Forrester Cloud Presentation
Day1 Forrester Cloud PresentationDay1 Forrester Cloud Presentation
Day1 Forrester Cloud Presentation
ErwinTheunissen
 
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)
Shumon Huque
 
Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011
IndicThreads
 
利用K8S實現高可靠應用
利用K8S實現高可靠應用利用K8S實現高可靠應用
利用K8S實現高可靠應用
inwin stack
 
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...
Kim Clark
 
Triangle OpenStack Meetup
Triangle OpenStack MeetupTriangle OpenStack Meetup
Triangle OpenStack Meetup
mestery
 
Simplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project ZeroSimplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project Zero
Shawn Zhu
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Ashish Mishra
 
Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus WSO2
 
Deduplication and single instance storage
Deduplication and single instance storageDeduplication and single instance storage
Deduplication and single instance storageInterop
 
Cloud & The Mobile Stack
Cloud & The Mobile StackCloud & The Mobile Stack
Cloud & The Mobile Stack
Subbu Ramanathan
 
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking TalkvBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
mestery
 

Similar to The Role of Kerberos in Identity Mgmt (20)

14 577
14 57714 577
14 577
 
OpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, CiscoOpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, Cisco
 
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew TuckerOpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew Tucker
 
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client AccessExchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
 
Antivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizadosAntivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizados
 
Agile Edge Valtech
Agile Edge ValtechAgile Edge Valtech
Agile Edge Valtech
 
Web Content Management And Agile
Web Content Management And AgileWeb Content Management And Agile
Web Content Management And Agile
 
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009
 
Day1 Forrester Cloud Presentation
Day1 Forrester Cloud PresentationDay1 Forrester Cloud Presentation
Day1 Forrester Cloud Presentation
 
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)
 
Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011
 
利用K8S實現高可靠應用
利用K8S實現高可靠應用利用K8S實現高可靠應用
利用K8S實現高可靠應用
 
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...
 
Triangle OpenStack Meetup
Triangle OpenStack MeetupTriangle OpenStack Meetup
Triangle OpenStack Meetup
 
Simplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project ZeroSimplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project Zero
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus
 
Deduplication and single instance storage
Deduplication and single instance storageDeduplication and single instance storage
Deduplication and single instance storage
 
Cloud & The Mobile Stack
Cloud & The Mobile StackCloud & The Mobile Stack
Cloud & The Mobile Stack
 
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking TalkvBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
 

Recently uploaded

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 

Recently uploaded (20)

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 

The Role of Kerberos in Identity Mgmt

  • 1. The Role of Kerberos in Identity Management Thomas Hardjono MIT Kerberos Consortium ISSA New England 26 January, 2010 www.kerberos.org © 2007-2010 The MIT Kerberos Consortium. All Rights Reserved.
  • 2. Introductions & Background • Kerberos v5 (RFC 4210) • MIT Kerberos Consortium • Release 1.7 & 1.8 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 3. A Brief History of Kerberos  Kerberos was developed as the Authentication engine for MIT’s Project Athena in 1983, became IETF standard in 1993  MIT’s release of Kerberos as open source in 1987 led to rapid adoption by numerous organizations  Kerberos now ships standard with all major operating systems  Apple, Red Hat, Microsoft, Sun, Ubuntu  Serves tens of millions of enterprise end users users at large organizations.  Microsoft has been using Kerberos as the default authentication package since Windows 2000”  Kerberos has been hugely successful © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 4. Kerberos V5 Overview © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 5. Kerberos Consortium: Goals • Provide leadership to the world community • Establish Kerberos as a universal authentication mechanism. • Make Kerberos appropriate for new environments. • Enable Kerberos across a plethora of endpoints. • Help developers integrate Kerberos. © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 6. Kerberos Consortium Apple MIT Carnegie Mellon PistolStar Centrify Corporation Michigan State Cornell NASA The United States Pennsylvania State Department of Defense Stanford Duke University Sun Microsystems Red Hat TeamF1, Inc. Iowa State Google Microsoft University of Michigan © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 7. Kerberos Rel 1.7 – June 2009 • Incremental propagation support • Removal of krb4 code • Kerberos Identity Management (KIM) API • Improved master key rollover / service key rollover • Enhanced error messages for GSS-API • Cross-platform CCAPI Windows • Collision avoidance for replay cache • FAST (pre-authentication) • Implement MS protocol extensions • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 8. Kerberos Rel 1.8 – March 2010 • Test-driven coding environment & code quality • Crypto modularity (cf. FIPS-140) • Improved API for authorization data • Support for service principal referrals • Disable single-DES by default • Improved enctype configuration • Lockout for repeated login failures • Trace logging for easier troubleshooting • FAST negotiation for ease of migration • Anonymous PKINIT - easier host key establish. • Services4User (S4U) enhancements in GSSAPI • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 9. Kerberos Today • Enterprise,B2B, B2C • Kerberos & Identity Infrastructure © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 10. Intra-Enterprise Kerberos • Large presence of Kerberos in Enterprise space – AD, “AD-Clones”, MIT code base, Sun, Intel AMT • Desire to re-use Kerberos infra for web security – Increase security of web logins • Address authentication in Web-SSO – Simplification of security management • Require Kerberos integration into web systems – Web-services typically already a separate infrastructure – Kerberos administration must also be integrated into web systems – Unified management of infrastructures © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 11. Kerberos for B2C & B2E Security • Forms/SSL primary authentication method: – Passwords, HTML Forms, no client certs – HTTP-Negotiate underutilized • Limitations to current version of HTTP-Nego/SPNEGO • B2E Web-SSO needs strong access control: – Intra-network services& business access only • Locally-scoped identities – HTTP-Negotiate deployed in many Enterprises • B2C Web-SSO a harder problem: – Need standard interfaces – Part of Identity Management problem – HTTP-Negotiate limitations (today) © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 12. Kerberos Support in Web Browsers SPNEGO RFC4559 & RFC4178 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 13. Identity Management • Common architecture in Liberty/SAML2.0 and OpenID • Authentication in Identity Systems © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 14. Identity Management Today • Multiple proposals in the industry: – SAML2.0 (Liberty Alliance) – OpenID – CardSpace/InfoCard – Shibboleth 1.3 (in higher education) • Basic architecture are similar – Service Provider, Identity Provider, Client – Mostly neutral to authentication method used – Assumes password/forms as basic auth method • Issues/factors (lots): – Complexity of backend architecture – Credentials management – Enterprise vs. Consumer market (business case) – Federation & Trust – Lack of large-scale IdP as a trusted third party © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 15. Basic Id Management Architecture © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 16. Kerberos Authentication in SAML2.0 Systems • Interoperability with SAML • Web back-end security • Related work © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 17. SAML2.0 Kerberos Web-Browser SSO • Kerberos Web Browser SSO Profile – Aim: Kerberos authentication within SAML2.0 systems & infrastructure – Draft specification in OASIS • Builds on existing SAML2.0 Web-SSO profile – Assumes User Agent is a Browser with HTTP • Uses HTTP-Negotiate/SPNEGO for authentication – Uses SAML Subject Confirmation method: • IdP issues SAML Assertions • Confirms the SAML attesting entity using Kerberos • Client must prove possession of Kerberos key © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 18. Summary of SAML2.0 Web browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 19. SAML2.0 Kerberos Web-Browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 20. Kerberos Web Browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 21. Other Related Work • TLS support for Kerberos (desirable): • Extend Pre-Shared Key cipher-suites for TLS • TLS key established using Kerberos mechanism exposed as a generic security service via GSS-API • Future effort • Other SAML related work at the MIT-KC: • Kerberos interoperability in WS-Federation systems • Oasis WS-Federation architecture • Kerberos to secure back-end web infrastructure • MIT-KC Whitepaper: • Towards Kerberizing Web Identity and Services http://www.kerberos.org/software/kerbweb.pdf © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 22. Thank You & Questions © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 23. Contact Information The MIT Kerberos Consortium 77 Massachusetts Avenue W92-152 Cambridge, MA 02139 USA Tel: 617.715.2451 Fax: 617.258.3976 Thomas Hardjono Lead Technologist & Strategic Advisor Web: www.kerberos.org MIT Kerberos Consortium Lead Technologist & Strategic Advisor Thomas Hardjono(hardjono@mit.edu) Mobile: +1 781-729-9559 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010