�ݺ�ߣ

The Role of Kerberos in
Identity Management
Thomas Hardjono
MIT Kerberos Consortium

ISSA New England
26 January, 2010

www.kerberos.org ? 2007-2010 The MIT Kerberos Consortium. All Rights Reserved.

Introductions & Background
? Kerberos v5 (RFC 4210)
? MIT Kerberos Consortium
? Release 1.7 & 1.8

? 2009 The MIT Kerberos Consortium. All Rights Reserved.
www.kerberos.org 26 Jan 2010

A Brief History of Kerberos
? Kerberos was developed as the Authentication engine for
MIT��s Project Athena in 1983, became IETF standard in 1993
? MIT��s release of Kerberos as open source in 1987 led to rapid
adoption by numerous organizations
? Kerberos now ships standard with all major operating systems
? Apple, Red Hat, Microsoft, Sun, Ubuntu
? Serves tens of millions of enterprise end users users at large
organizations.
? Microsoft has been using Kerberos as the default
authentication package since Windows 2000��
? Kerberos has been hugely successful


Kerberos V5 Overview


Kerberos Consortium: Goals
? Provide leadership to the world
community
? Establish Kerberos as a universal
authentication mechanism.
? Make Kerberos appropriate for new
environments.
? Enable Kerberos across a plethora of
endpoints.
? Help developers integrate Kerberos.


Kerberos Consortium
?Apple ?MIT
?Carnegie Mellon ?PistolStar
?Centrify Corporation ?Michigan State
?Cornell ?NASA
?The United States ?Pennsylvania State
Department of Defense ?Stanford
?Duke University ?Sun Microsystems
?Red Hat ?TeamF1, Inc.
?Iowa State ?Google
?Microsoft ?University of Michigan


Kerberos Rel 1.7 �C June 2009
? Incremental propagation support
? Removal of krb4 code
? Kerberos Identity Management (KIM) API
? Improved master key rollover / service key
rollover
? Enhanced error messages for GSS-API
? Cross-platform CCAPI Windows
? Collision avoidance for replay cache
? FAST (pre-authentication)
? Implement MS protocol extensions
? Others


Kerberos Rel 1.8 �C March 2010
? Test-driven coding environment & code quality
? Crypto modularity (cf. FIPS-140)
? Improved API for authorization data
? Support for service principal referrals
? Disable single-DES by default
? Improved enctype configuration
? Lockout for repeated login failures
? Trace logging for easier troubleshooting
? FAST negotiation for ease of migration
? Anonymous PKINIT - easier host key establish.
? Services4User (S4U) enhancements in GSSAPI
? Others

Kerberos Today
? Enterprise,B2B, B2C
? Kerberos & Identity
Infrastructure


Intra-Enterprise Kerberos
? Large presence of Kerberos in Enterprise space
�C AD, ��AD-Clones��, MIT code base, Sun, Intel AMT
? Desire to re-use Kerberos infra for web security
�C Increase security of web logins
? Address authentication in Web-SSO
�C Simplification of security management
? Require Kerberos integration into web systems
�C Web-services typically already a separate
infrastructure
�C Kerberos administration must also be integrated into
web systems
�C Unified management of infrastructures


Kerberos for B2C & B2E Security
? Forms/SSL primary authentication method:
�C Passwords, HTML Forms, no client certs
�C HTTP-Negotiate underutilized
? Limitations to current version of HTTP-Nego/SPNEGO
? B2E Web-SSO needs strong access control:
�C Intra-network services& business access only
? Locally-scoped identities
�C HTTP-Negotiate deployed in many Enterprises
? B2C Web-SSO a harder problem:
�C Need standard interfaces
�C Part of Identity Management problem
�C HTTP-Negotiate limitations (today)


Kerberos Support in Web Browsers

SPNEGO
RFC4559 & RFC4178


Identity Management
? Common architecture in
Liberty/SAML2.0 and
OpenID
? Authentication in Identity
Systems


Identity Management Today
? Multiple proposals in the industry:
�C SAML2.0 (Liberty Alliance)
�C OpenID
�C CardSpace/InfoCard
�C Shibboleth 1.3 (in higher education)
? Basic architecture are similar
�C Service Provider, Identity Provider, Client
�C Mostly neutral to authentication method used
�C Assumes password/forms as basic auth method
? Issues/factors (lots):
�C Complexity of backend architecture
�C Credentials management
�C Enterprise vs. Consumer market (business case)
�C Federation & Trust
�C Lack of large-scale IdP as a trusted third party


Basic Id Management Architecture


Kerberos Authentication in
SAML2.0 Systems
? Interoperability with SAML
? Web back-end security
? Related work


SAML2.0 Kerberos Web-Browser SSO
? Kerberos Web Browser SSO Profile
�C Aim: Kerberos authentication within SAML2.0
systems & infrastructure
�C Draft specification in OASIS
? Builds on existing SAML2.0 Web-SSO profile
�C Assumes User Agent is a Browser with HTTP
? Uses HTTP-Negotiate/SPNEGO for authentication
�C Uses SAML Subject Confirmation method:
? IdP issues SAML Assertions
? Confirms the SAML attesting entity using Kerberos
? Client must prove possession of Kerberos key


Summary of SAML2.0 Web browser SSO


SAML2.0 Kerberos Web-Browser SSO


Kerberos Web Browser SSO


Other Related Work
? TLS support for Kerberos (desirable):
? Extend Pre-Shared Key cipher-suites for TLS
? TLS key established using Kerberos mechanism
exposed as a generic security service via GSS-API
? Future effort
? Other SAML related work at the MIT-KC:
? Kerberos interoperability in WS-Federation systems
? Oasis WS-Federation architecture
? Kerberos to secure back-end web infrastructure
? MIT-KC Whitepaper:
? Towards Kerberizing Web Identity and Services
http://www.kerberos.org/software/kerbweb.pdf


Thank You & Questions


Contact Information

The MIT Kerberos Consortium
77 Massachusetts Avenue
W92-152
Cambridge, MA 02139 USA

Tel: 617.715.2451
Fax: 617.258.3976

Thomas Hardjono
Lead Technologist & Strategic Advisor

Web: www.kerberos.org

MIT Kerberos Consortium
Lead Technologist & Strategic Advisor
Thomas Hardjono(hardjono@mit.edu)
Mobile: +1 781-729-9559


�ݺ�ߣ

The Role of Kerberos in Identity Mgmt

More Related Content

The Role of Kerberos in Identity Mgmt