The Role of Kerberos in Identity Mgmt

The Role of Kerberos in
Identity Management
Thomas Hardjono
MIT Kerberos Consortium

ISSA New England
26 January, 2010

www.kerberos.org © 2007-2010 The MIT Kerberos Consortium. All Rights Reserved.

Introductions & Background
• Kerberos v5 (RFC 4210)
• MIT Kerberos Consortium
• Release 1.7 & 1.8

© 2009 The MIT Kerberos Consortium. All Rights Reserved.
www.kerberos.org 26 Jan 2010

A Brief History of Kerberos
 Kerberos was developed as the Authentication engine for
MIT’s Project Athena in 1983, became IETF standard in 1993
 MIT’s release of Kerberos as open source in 1987 led to rapid
adoption by numerous organizations
 Kerberos now ships standard with all major operating systems
 Apple, Red Hat, Microsoft, Sun, Ubuntu
 Serves tens of millions of enterprise end users users at large
organizations.
 Microsoft has been using Kerberos as the default
authentication package since Windows 2000”
 Kerberos has been hugely successful


Kerberos V5 Overview


Kerberos Consortium: Goals
• Provide leadership to the world
community
• Establish Kerberos as a universal
authentication mechanism.
• Make Kerberos appropriate for new
environments.
• Enable Kerberos across a plethora of
endpoints.
• Help developers integrate Kerberos.


Kerberos Consortium
Apple MIT
Carnegie Mellon PistolStar
Centrify Corporation Michigan State
Cornell NASA
The United States Pennsylvania State
Department of Defense Stanford
Duke University Sun Microsystems
Red Hat TeamF1, Inc.
Iowa State Google
Microsoft University of Michigan


Kerberos Rel 1.7 – June 2009
• Incremental propagation support
• Removal of krb4 code
• Kerberos Identity Management (KIM) API
• Improved master key rollover / service key
rollover
• Enhanced error messages for GSS-API
• Cross-platform CCAPI Windows
• Collision avoidance for replay cache
• FAST (pre-authentication)
• Implement MS protocol extensions
• Others


Kerberos Rel 1.8 – March 2010
• Test-driven coding environment & code quality
• Crypto modularity (cf. FIPS-140)
• Improved API for authorization data
• Support for service principal referrals
• Disable single-DES by default
• Improved enctype configuration
• Lockout for repeated login failures
• Trace logging for easier troubleshooting
• FAST negotiation for ease of migration
• Anonymous PKINIT - easier host key establish.
• Services4User (S4U) enhancements in GSSAPI
• Others

Kerberos Today
• Enterprise,B2B, B2C
• Kerberos & Identity
Infrastructure


Intra-Enterprise Kerberos
• Large presence of Kerberos in Enterprise space
– AD, “AD-Clones”, MIT code base, Sun, Intel AMT
• Desire to re-use Kerberos infra for web security
– Increase security of web logins
• Address authentication in Web-SSO
– Simplification of security management
• Require Kerberos integration into web systems
– Web-services typically already a separate
infrastructure
– Kerberos administration must also be integrated into
web systems
– Unified management of infrastructures


Kerberos for B2C & B2E Security
• Forms/SSL primary authentication method:
– Passwords, HTML Forms, no client certs
– HTTP-Negotiate underutilized
• Limitations to current version of HTTP-Nego/SPNEGO
• B2E Web-SSO needs strong access control:
– Intra-network services& business access only
• Locally-scoped identities
– HTTP-Negotiate deployed in many Enterprises
• B2C Web-SSO a harder problem:
– Need standard interfaces
– Part of Identity Management problem
– HTTP-Negotiate limitations (today)


Kerberos Support in Web Browsers

SPNEGO
RFC4559 & RFC4178


Identity Management
• Common architecture in
Liberty/SAML2.0 and
OpenID
• Authentication in Identity
Systems


Identity Management Today
• Multiple proposals in the industry:
– SAML2.0 (Liberty Alliance)
– OpenID
– CardSpace/InfoCard
– Shibboleth 1.3 (in higher education)
• Basic architecture are similar
– Service Provider, Identity Provider, Client
– Mostly neutral to authentication method used
– Assumes password/forms as basic auth method
• Issues/factors (lots):
– Complexity of backend architecture
– Credentials management
– Enterprise vs. Consumer market (business case)
– Federation & Trust
– Lack of large-scale IdP as a trusted third party


Basic Id Management Architecture


Kerberos Authentication in
SAML2.0 Systems
• Interoperability with SAML
• Web back-end security
• Related work


SAML2.0 Kerberos Web-Browser SSO
• Kerberos Web Browser SSO Profile
– Aim: Kerberos authentication within SAML2.0
systems & infrastructure
– Draft specification in OASIS
• Builds on existing SAML2.0 Web-SSO profile
– Assumes User Agent is a Browser with HTTP
• Uses HTTP-Negotiate/SPNEGO for authentication
– Uses SAML Subject Confirmation method:
• IdP issues SAML Assertions
• Confirms the SAML attesting entity using Kerberos
• Client must prove possession of Kerberos key


Summary of SAML2.0 Web browser SSO


SAML2.0 Kerberos Web-Browser SSO


Kerberos Web Browser SSO


Other Related Work
• TLS support for Kerberos (desirable):
• Extend Pre-Shared Key cipher-suites for TLS
• TLS key established using Kerberos mechanism
exposed as a generic security service via GSS-API
• Future effort
• Other SAML related work at the MIT-KC:
• Kerberos interoperability in WS-Federation systems
• Oasis WS-Federation architecture
• Kerberos to secure back-end web infrastructure
• MIT-KC Whitepaper:
• Towards Kerberizing Web Identity and Services
http://www.kerberos.org/software/kerbweb.pdf


Thank You & Questions


Contact Information

The MIT Kerberos Consortium
77 Massachusetts Avenue
W92-152
Cambridge, MA 02139 USA

Tel: 617.715.2451
Fax: 617.258.3976

Thomas Hardjono
Lead Technologist & Strategic Advisor

Web: www.kerberos.org

MIT Kerberos Consortium
Lead Technologist & Strategic Advisor
Thomas Hardjono(hardjono@mit.edu)
Mobile: +1 781-729-9559


The Role of Kerberos in Identity Mgmt

More Related Content

Similar to The Role of Kerberos in Identity Mgmt

Recently uploaded

The Role of Kerberos in Identity Mgmt