Upload
isaca-new-england
View
1.395
Download
0
Embed Size (px)
Citation preview
www.kerberos.org © 2007-2010 The MIT Kerberos Consortium. All Rights Reserved.
The Role of Kerberos inIdentity Management
Thomas HardjonoMIT Kerberos Consortium
ISSA New England26 January, 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Introductions & Background
26 Jan 2010
• Kerberos v5 (RFC 4210)• MIT Kerberos Consortium• Release 1.7 & 1.8
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
26 Jan 2010
A Brief History of Kerberos Kerberos was developed as the Authentication engine for
MIT’s Project Athena in 1983, became IETF standard in 1993 MIT’s release of Kerberos as open source in 1987 led to rapid
adoption by numerous organizations Kerberos now ships standard with all major operating systems Apple, Red Hat, Microsoft, Sun, Ubuntu
Serves tens of millions of enterprise end users users at large organizations.Microsoft has been using Kerberos as the default
authentication package since Windows 2000” Kerberos has been hugely successful
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Kerberos V5 Overview
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Kerberos Consortium: Goals• Provide leadership to the world
community• Establish Kerberos as a universal
authentication mechanism.• Make Kerberos appropriate for new
environments.• Enable Kerberos across a plethora of
endpoints.• Help developers integrate Kerberos.
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
26 Jan 2010
Kerberos ConsortiumAppleCarnegie Mellon Centrify CorporationCornellThe United States Department of DefenseDuke UniversityRed HatIowa StateMicrosoft
MITPistolStarMichigan StateNASAPennsylvania StateStanfordSun MicrosystemsTeamF1, Inc.GoogleUniversity of Michigan
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Kerberos Rel 1.7 – June 2009• Incremental propagation support• Removal of krb4 code• Kerberos Identity Management (KIM) API• Improved master key rollover / service key
rollover• Enhanced error messages for GSS-API• Cross-platform CCAPI Windows• Collision avoidance for replay cache• FAST (pre-authentication)• Implement MS protocol extensions• Others
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Kerberos Rel 1.8 – March 2010• Test-driven coding environment & code quality• Crypto modularity (cf. FIPS-140)• Improved API for authorization data• Support for service principal referrals• Disable single-DES by default• Improved enctype configuration• Lockout for repeated login failures• Trace logging for easier troubleshooting• FAST negotiation for ease of migration• Anonymous PKINIT - easier host key establish.• Services4User (S4U) enhancements in GSSAPI• Others
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Kerberos Today
26 Jan 2010
• Enterprise,B2B, B2C• Kerberos & Identity
Infrastructure
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Intra-Enterprise Kerberos• Large presence of Kerberos in Enterprise space
– AD, “AD-Clones”, MIT code base, Sun, Intel AMT• Desire to re-use Kerberos infra for web security
– Increase security of web logins • Address authentication in Web-SSO
– Simplification of security management• Require Kerberos integration into web systems
– Web-services typically already a separate infrastructure
– Kerberos administration must also be integrated into web systems
– Unified management of infrastructures
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Kerberos for B2C & B2E Security• Forms/SSL primary authentication method:
– Passwords, HTML Forms, no client certs– HTTP-Negotiate underutilized
• Limitations to current version of HTTP-Nego/SPNEGO• B2E Web-SSO needs strong access control:
– Intra-network services& business access only• Locally-scoped identities
– HTTP-Negotiate deployed in many Enterprises• B2C Web-SSO a harder problem:
– Need standard interfaces– Part of Identity Management problem– HTTP-Negotiate limitations (today)
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Kerberos Support in Web Browsers
26 Jan 2010
SPNEGORFC4559 & RFC4178
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Identity Management
26 Jan 2010
• Common architecture in Liberty/SAML2.0 and OpenID
• Authentication in Identity Systems
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Identity Management Today• Multiple proposals in the industry:
– SAML2.0 (Liberty Alliance)– OpenID– CardSpace/InfoCard– Shibboleth 1.3 (in higher education)
• Basic architecture are similar– Service Provider, Identity Provider, Client– Mostly neutral to authentication method used– Assumes password/forms as basic auth method
• Issues/factors (lots):– Complexity of backend architecture– Credentials management– Enterprise vs. Consumer market (business case)– Federation & Trust– Lack of large-scale IdP as a trusted third party
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Basic Id Management Architecture
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Kerberos Authentication in SAML2.0 Systems
26 Jan 2010
• Interoperability with SAML• Web back-end security• Related work
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
SAML2.0 Kerberos Web-Browser SSO• Kerberos Web Browser SSO Profile
– Aim: Kerberos authentication within SAML2.0 systems & infrastructure
– Draft specification in OASIS• Builds on existing SAML2.0 Web-SSO profile
– Assumes User Agent is a Browser with HTTP• Uses HTTP-Negotiate/SPNEGO for authentication
– Uses SAML Subject Confirmation method:• IdP issues SAML Assertions• Confirms the SAML attesting entity using Kerberos• Client must prove possession of Kerberos key
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Summary of SAML2.0 Web browser SSO
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
SAML2.0 Kerberos Web-Browser SSO
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Kerberos Web Browser SSO
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Other Related Work• TLS support for Kerberos (desirable):
• Extend Pre-Shared Key cipher-suites for TLS• TLS key established using Kerberos mechanism
exposed as a generic security service via GSS-API• Future effort
• Other SAML related work at the MIT-KC:• Kerberos interoperability in WS-Federation systems
• Oasis WS-Federation architecture
• Kerberos to secure back-end web infrastructure• MIT-KC Whitepaper:
• Towards Kerberizing Web Identity and Serviceshttp://www.kerberos.org/software/kerbweb.pdf
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
Thank You & Questions
26 Jan 2010
www.kerberos.org© 2009 The MIT Kerberos Consortium. All Rights Reserved.
26 Jan 2010
Contact Information
The MIT Kerberos Consortium 77 Massachusetts AvenueW92-152Cambridge, MA 02139 USA
Tel: 617.715.2451Fax: 617.258.3976
Thomas HardjonoLead Technologist & Strategic Advisor
Web: www.kerberos.org
Lead Technologist & Strategic AdvisorThomas Hardjono([email protected]) Mobile: +1 781-729-9559
MIT Kerberos Consortium