The Role of Kerberos in Identity Mgmt

www.kerberos.org © 2007-2010 The MIT Kerberos Consortium. All Rights Reserved.

The Role of Kerberos inIdentity Management

Thomas HardjonoMIT Kerberos Consortium

ISSA New England26 January, 2010

www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.

Introductions & Background

26 Jan 2010

• Kerberos v5 (RFC 4210)• MIT Kerberos Consortium• Release 1.7 & 1.8


26 Jan 2010

A Brief History of Kerberos Kerberos was developed as the Authentication engine for

MIT’s Project Athena in 1983, became IETF standard in 1993 MIT’s release of Kerberos as open source in 1987 led to rapid

adoption by numerous organizations Kerberos now ships standard with all major operating systems Apple, Red Hat, Microsoft, Sun, Ubuntu

Serves tens of millions of enterprise end users users at large organizations.Microsoft has been using Kerberos as the default

authentication package since Windows 2000” Kerberos has been hugely successful


Kerberos V5 Overview

26 Jan 2010


Kerberos Consortium: Goals• Provide leadership to the world

community• Establish Kerberos as a universal

authentication mechanism.• Make Kerberos appropriate for new

environments.• Enable Kerberos across a plethora of

endpoints.• Help developers integrate Kerberos.

26 Jan 2010


26 Jan 2010

Kerberos ConsortiumAppleCarnegie Mellon Centrify CorporationCornellThe United States Department of DefenseDuke UniversityRed HatIowa StateMicrosoft

MITPistolStarMichigan StateNASAPennsylvania StateStanfordSun MicrosystemsTeamF1, Inc.GoogleUniversity of Michigan


Kerberos Rel 1.7 – June 2009• Incremental propagation support• Removal of krb4 code• Kerberos Identity Management (KIM) API• Improved master key rollover / service key

rollover• Enhanced error messages for GSS-API• Cross-platform CCAPI Windows• Collision avoidance for replay cache• FAST (pre-authentication)• Implement MS protocol extensions• Others

26 Jan 2010


Kerberos Rel 1.8 – March 2010• Test-driven coding environment & code quality• Crypto modularity (cf. FIPS-140)• Improved API for authorization data• Support for service principal referrals• Disable single-DES by default• Improved enctype configuration• Lockout for repeated login failures• Trace logging for easier troubleshooting• FAST negotiation for ease of migration• Anonymous PKINIT - easier host key establish.• Services4User (S4U) enhancements in GSSAPI• Others

26 Jan 2010


Kerberos Today

26 Jan 2010

• Enterprise,B2B, B2C• Kerberos & Identity

Infrastructure


Intra-Enterprise Kerberos• Large presence of Kerberos in Enterprise space

– AD, “AD-Clones”, MIT code base, Sun, Intel AMT• Desire to re-use Kerberos infra for web security

– Increase security of web logins • Address authentication in Web-SSO

– Simplification of security management• Require Kerberos integration into web systems

– Web-services typically already a separate infrastructure

– Kerberos administration must also be integrated into web systems

– Unified management of infrastructures

26 Jan 2010


Kerberos for B2C & B2E Security• Forms/SSL primary authentication method:

– Passwords, HTML Forms, no client certs– HTTP-Negotiate underutilized

• Limitations to current version of HTTP-Nego/SPNEGO• B2E Web-SSO needs strong access control:

– Intra-network services& business access only• Locally-scoped identities

– HTTP-Negotiate deployed in many Enterprises• B2C Web-SSO a harder problem:

– Need standard interfaces– Part of Identity Management problem– HTTP-Negotiate limitations (today)

26 Jan 2010


Kerberos Support in Web Browsers

26 Jan 2010

SPNEGORFC4559 & RFC4178


Identity Management

26 Jan 2010

• Common architecture in Liberty/SAML2.0 and OpenID

• Authentication in Identity Systems


Identity Management Today• Multiple proposals in the industry:

– SAML2.0 (Liberty Alliance)– OpenID– CardSpace/InfoCard– Shibboleth 1.3 (in higher education)

• Basic architecture are similar– Service Provider, Identity Provider, Client– Mostly neutral to authentication method used– Assumes password/forms as basic auth method

• Issues/factors (lots):– Complexity of backend architecture– Credentials management– Enterprise vs. Consumer market (business case)– Federation & Trust– Lack of large-scale IdP as a trusted third party

26 Jan 2010


Basic Id Management Architecture

26 Jan 2010


Kerberos Authentication in SAML2.0 Systems

26 Jan 2010

• Interoperability with SAML• Web back-end security• Related work


SAML2.0 Kerberos Web-Browser SSO• Kerberos Web Browser SSO Profile

– Aim: Kerberos authentication within SAML2.0 systems & infrastructure

– Draft specification in OASIS• Builds on existing SAML2.0 Web-SSO profile

– Assumes User Agent is a Browser with HTTP• Uses HTTP-Negotiate/SPNEGO for authentication

– Uses SAML Subject Confirmation method:• IdP issues SAML Assertions• Confirms the SAML attesting entity using Kerberos• Client must prove possession of Kerberos key

26 Jan 2010


Summary of SAML2.0 Web browser SSO

26 Jan 2010


SAML2.0 Kerberos Web-Browser SSO

26 Jan 2010


Kerberos Web Browser SSO

26 Jan 2010


Other Related Work• TLS support for Kerberos (desirable):

• Extend Pre-Shared Key cipher-suites for TLS• TLS key established using Kerberos mechanism

exposed as a generic security service via GSS-API• Future effort

• Other SAML related work at the MIT-KC:• Kerberos interoperability in WS-Federation systems

• Oasis WS-Federation architecture

• Kerberos to secure back-end web infrastructure• MIT-KC Whitepaper:

• Towards Kerberizing Web Identity and Serviceshttp://www.kerberos.org/software/kerbweb.pdf

26 Jan 2010

http://www.kerberos.org/software/kerbweb.pdf�


Thank You & Questions

26 Jan 2010


26 Jan 2010

Contact Information

The MIT Kerberos Consortium 77 Massachusetts AvenueW92-152Cambridge, MA 02139 USA

Tel: 617.715.2451Fax: 617.258.3976

Thomas HardjonoLead Technologist & Strategic Advisor

Web: www.kerberos.org

Lead Technologist & Strategic AdvisorThomas Hardjono([email protected]) Mobile: +1 781-729-9559

MIT Kerberos Consortium

Technology

The Role of Kerberos in Identity Mgmt