SlideShare una empresa de Scribd logo

The Role of Kerberos in Identity Mgmt

ISACA New England
ISACA New England
Tecnología
1 de 23
Descargar para leer sin conexión
The Role of Kerberos in Identity Management Thomas Hardjono MIT Kerberos Consortium ISSA New England 26 January, 2010 www.kerberos.org © 2007-2010 The MIT Kerberos Consortium. All Rights Reserved.
Introductions & Background • Kerberos v5 (RFC 4210) • MIT Kerberos Consortium • Release 1.7 & 1.8 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
A Brief History of Kerberos  Kerberos was developed as the Authentication engine for MIT’s Project Athena in 1983, became IETF standard in 1993  MIT’s release of Kerberos as open source in 1987 led to rapid adoption by numerous organizations  Kerberos now ships standard with all major operating systems  Apple, Red Hat, Microsoft, Sun, Ubuntu  Serves tens of millions of enterprise end users users at large organizations.  Microsoft has been using Kerberos as the default authentication package since Windows 2000”  Kerberos has been hugely successful © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos V5 Overview © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Consortium: Goals • Provide leadership to the world community • Establish Kerberos as a universal authentication mechanism. • Make Kerberos appropriate for new environments. • Enable Kerberos across a plethora of endpoints. • Help developers integrate Kerberos. © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Consortium Apple MIT Carnegie Mellon PistolStar Centrify Corporation Michigan State Cornell NASA The United States Pennsylvania State Department of Defense Stanford Duke University Sun Microsystems Red Hat TeamF1, Inc. Iowa State Google Microsoft University of Michigan © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Rel 1.7 – June 2009 • Incremental propagation support • Removal of krb4 code • Kerberos Identity Management (KIM) API • Improved master key rollover / service key rollover • Enhanced error messages for GSS-API • Cross-platform CCAPI Windows • Collision avoidance for replay cache • FAST (pre-authentication) • Implement MS protocol extensions • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Rel 1.8 – March 2010 • Test-driven coding environment & code quality • Crypto modularity (cf. FIPS-140) • Improved API for authorization data • Support for service principal referrals • Disable single-DES by default • Improved enctype configuration • Lockout for repeated login failures • Trace logging for easier troubleshooting • FAST negotiation for ease of migration • Anonymous PKINIT - easier host key establish. • Services4User (S4U) enhancements in GSSAPI • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Today • Enterprise,B2B, B2C • Kerberos & Identity Infrastructure © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Intra-Enterprise Kerberos • Large presence of Kerberos in Enterprise space – AD, “AD-Clones”, MIT code base, Sun, Intel AMT • Desire to re-use Kerberos infra for web security – Increase security of web logins • Address authentication in Web-SSO – Simplification of security management • Require Kerberos integration into web systems – Web-services typically already a separate infrastructure – Kerberos administration must also be integrated into web systems – Unified management of infrastructures © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos for B2C & B2E Security • Forms/SSL primary authentication method: – Passwords, HTML Forms, no client certs – HTTP-Negotiate underutilized • Limitations to current version of HTTP-Nego/SPNEGO • B2E Web-SSO needs strong access control: – Intra-network services& business access only • Locally-scoped identities – HTTP-Negotiate deployed in many Enterprises • B2C Web-SSO a harder problem: – Need standard interfaces – Part of Identity Management problem – HTTP-Negotiate limitations (today) © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Support in Web Browsers SPNEGO RFC4559 & RFC4178 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Identity Management • Common architecture in Liberty/SAML2.0 and OpenID • Authentication in Identity Systems © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Identity Management Today • Multiple proposals in the industry: – SAML2.0 (Liberty Alliance) – OpenID – CardSpace/InfoCard – Shibboleth 1.3 (in higher education) • Basic architecture are similar – Service Provider, Identity Provider, Client – Mostly neutral to authentication method used – Assumes password/forms as basic auth method • Issues/factors (lots): – Complexity of backend architecture – Credentials management – Enterprise vs. Consumer market (business case) – Federation & Trust – Lack of large-scale IdP as a trusted third party © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Basic Id Management Architecture © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Authentication in SAML2.0 Systems • Interoperability with SAML • Web back-end security • Related work © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
SAML2.0 Kerberos Web-Browser SSO • Kerberos Web Browser SSO Profile – Aim: Kerberos authentication within SAML2.0 systems & infrastructure – Draft specification in OASIS • Builds on existing SAML2.0 Web-SSO profile – Assumes User Agent is a Browser with HTTP • Uses HTTP-Negotiate/SPNEGO for authentication – Uses SAML Subject Confirmation method: • IdP issues SAML Assertions • Confirms the SAML attesting entity using Kerberos • Client must prove possession of Kerberos key © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Summary of SAML2.0 Web browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
SAML2.0 Kerberos Web-Browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Kerberos Web Browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Other Related Work • TLS support for Kerberos (desirable): • Extend Pre-Shared Key cipher-suites for TLS • TLS key established using Kerberos mechanism exposed as a generic security service via GSS-API • Future effort • Other SAML related work at the MIT-KC: • Kerberos interoperability in WS-Federation systems • Oasis WS-Federation architecture • Kerberos to secure back-end web infrastructure • MIT-KC Whitepaper: • Towards Kerberizing Web Identity and Services http://www.kerberos.org/software/kerbweb.pdf © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Thank You & Questions © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Contact Information The MIT Kerberos Consortium 77 Massachusetts Avenue W92-152 Cambridge, MA 02139 USA Tel: 617.715.2451 Fax: 617.258.3976 Thomas Hardjono Lead Technologist & Strategic Advisor Web: www.kerberos.org MIT Kerberos Consortium Lead Technologist & Strategic Advisor Thomas Hardjono(hardjono@mit.edu) Mobile: +1 781-729-9559 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010

Recomendados

Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
datacentersummit
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Sumit Gupta
 
Cloud computingjun28
Cloud computingjun28Cloud computingjun28
Cloud computingjun28
korusamol
 
Cloud computingjun28
Cloud computingjun28Cloud computingjun28
Cloud computingjun28
Abhishek Thakur
 
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteMIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon sattelite
Nov Matake
 
Eb07 Day Communiqué Web Content Management En
Eb07 Day Communiqué Web Content Management EnEb07 Day Communiqué Web Content Management En
Eb07 Day Communiqué Web Content Management En
Valtech
 
What's new in Exchange 2013?
What's new in Exchange 2013?What's new in Exchange 2013?
What's new in Exchange 2013?
Microsoft TechNet - Belgium and Luxembourg
 
JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010
David Nuescheler
 

Recomendados

Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
datacentersummit
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Sumit Gupta
 
Cloud computingjun28
Cloud computingjun28Cloud computingjun28
Cloud computingjun28
korusamol
 
Cloud computingjun28
Cloud computingjun28Cloud computingjun28
Cloud computingjun28
Abhishek Thakur
 
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon satteliteMIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon sattelite
Nov Matake
 
Eb07 Day Communiqué Web Content Management En
Eb07 Day Communiqué Web Content Management EnEb07 Day Communiqué Web Content Management En
Eb07 Day Communiqué Web Content Management En
Valtech
 
What's new in Exchange 2013?
What's new in Exchange 2013?What's new in Exchange 2013?
What's new in Exchange 2013?
Microsoft TechNet - Belgium and Luxembourg
 
JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010
David Nuescheler
 
14 577
14 57714 577
14 577
Chaitanya Ram
 
OpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, CiscoOpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, Cisco
ramdurairaj
 
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew TuckerOpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew Tucker
Lew Tucker
 
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client AccessExchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Microsoft TechNet - Belgium and Luxembourg
 
Antivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizadosAntivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizados
Nextel S.A.
 
Agile Edge Valtech
Agile Edge ValtechAgile Edge Valtech
Agile Edge Valtech
David Nuescheler
 
Web Content Management And Agile
Web Content Management And AgileWeb Content Management And Agile
Web Content Management And Agile
Valtech UK
 
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009
Gerardo Pardo-Castellote
 
Day1 Forrester Cloud Presentation
Day1 Forrester Cloud PresentationDay1 Forrester Cloud Presentation
Day1 Forrester Cloud Presentation
ErwinTheunissen
 
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)
Shumon Huque
 
Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011
IndicThreads
 
利用K8S實現高可靠應用
利用K8S實現高可靠應用利用K8S實現高可靠應用
利用K8S實現高可靠應用
inwin stack
 
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...
Kim Clark
 
Triangle OpenStack Meetup
Triangle OpenStack MeetupTriangle OpenStack Meetup
Triangle OpenStack Meetup
mestery
 
Simplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project ZeroSimplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project Zero
Shawn Zhu
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Ashish Mishra
 
Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus
WSO2
 
Deduplication and single instance storage
Deduplication and single instance storageDeduplication and single instance storage
Deduplication and single instance storage
Interop
 
Cloud & The Mobile Stack
Cloud & The Mobile StackCloud & The Mobile Stack
Cloud & The Mobile Stack
Subbu Ramanathan
 
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking TalkvBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
mestery
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
 

Más contenido relacionado

Similar a The Role of Kerberos in Identity Mgmt

Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011
IndicThreads
 
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...
Kim Clark
 
Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus
WSO2
 
Deduplication and single instance storage
Deduplication and single instance storageDeduplication and single instance storage
Deduplication and single instance storage
Interop
 

Similar a The Role of Kerberos in Identity Mgmt (20)

14 577
14 57714 577
14 577
 
OpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, CiscoOpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, Cisco
 
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew TuckerOpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew Tucker
 
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client AccessExchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
 
Antivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizadosAntivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizados
 
Agile Edge Valtech
Agile Edge ValtechAgile Edge Valtech
Agile Edge Valtech
 
Web Content Management And Agile
Web Content Management And AgileWeb Content Management And Agile
Web Content Management And Agile
 
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009
 
Day1 Forrester Cloud Presentation
Day1 Forrester Cloud PresentationDay1 Forrester Cloud Presentation
Day1 Forrester Cloud Presentation
 
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)
 
Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011
 
利用K8S實現高可靠應用
利用K8S實現高可靠應用利用K8S實現高可靠應用
利用K8S實現高可靠應用
 
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...
 
Triangle OpenStack Meetup
Triangle OpenStack MeetupTriangle OpenStack Meetup
Triangle OpenStack Meetup
 
Simplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project ZeroSimplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project Zero
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus
 
Deduplication and single instance storage
Deduplication and single instance storageDeduplication and single instance storage
Deduplication and single instance storage
 
Cloud & The Mobile Stack
Cloud & The Mobile StackCloud & The Mobile Stack
Cloud & The Mobile Stack
 
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking TalkvBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

The Role of Kerberos in Identity Mgmt

  • 1. The Role of Kerberos in Identity Management Thomas Hardjono MIT Kerberos Consortium ISSA New England 26 January, 2010 www.kerberos.org © 2007-2010 The MIT Kerberos Consortium. All Rights Reserved.
  • 2. Introductions & Background • Kerberos v5 (RFC 4210) • MIT Kerberos Consortium • Release 1.7 & 1.8 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 3. A Brief History of Kerberos  Kerberos was developed as the Authentication engine for MIT’s Project Athena in 1983, became IETF standard in 1993  MIT’s release of Kerberos as open source in 1987 led to rapid adoption by numerous organizations  Kerberos now ships standard with all major operating systems  Apple, Red Hat, Microsoft, Sun, Ubuntu  Serves tens of millions of enterprise end users users at large organizations.  Microsoft has been using Kerberos as the default authentication package since Windows 2000”  Kerberos has been hugely successful © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 4. Kerberos V5 Overview © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 5. Kerberos Consortium: Goals • Provide leadership to the world community • Establish Kerberos as a universal authentication mechanism. • Make Kerberos appropriate for new environments. • Enable Kerberos across a plethora of endpoints. • Help developers integrate Kerberos. © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 6. Kerberos Consortium Apple MIT Carnegie Mellon PistolStar Centrify Corporation Michigan State Cornell NASA The United States Pennsylvania State Department of Defense Stanford Duke University Sun Microsystems Red Hat TeamF1, Inc. Iowa State Google Microsoft University of Michigan © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 7. Kerberos Rel 1.7 – June 2009 • Incremental propagation support • Removal of krb4 code • Kerberos Identity Management (KIM) API • Improved master key rollover / service key rollover • Enhanced error messages for GSS-API • Cross-platform CCAPI Windows • Collision avoidance for replay cache • FAST (pre-authentication) • Implement MS protocol extensions • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 8. Kerberos Rel 1.8 – March 2010 • Test-driven coding environment & code quality • Crypto modularity (cf. FIPS-140) • Improved API for authorization data • Support for service principal referrals • Disable single-DES by default • Improved enctype configuration • Lockout for repeated login failures • Trace logging for easier troubleshooting • FAST negotiation for ease of migration • Anonymous PKINIT - easier host key establish. • Services4User (S4U) enhancements in GSSAPI • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 9. Kerberos Today • Enterprise,B2B, B2C • Kerberos & Identity Infrastructure © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 10. Intra-Enterprise Kerberos • Large presence of Kerberos in Enterprise space – AD, “AD-Clones”, MIT code base, Sun, Intel AMT • Desire to re-use Kerberos infra for web security – Increase security of web logins • Address authentication in Web-SSO – Simplification of security management • Require Kerberos integration into web systems – Web-services typically already a separate infrastructure – Kerberos administration must also be integrated into web systems – Unified management of infrastructures © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 11. Kerberos for B2C & B2E Security • Forms/SSL primary authentication method: – Passwords, HTML Forms, no client certs – HTTP-Negotiate underutilized • Limitations to current version of HTTP-Nego/SPNEGO • B2E Web-SSO needs strong access control: – Intra-network services& business access only • Locally-scoped identities – HTTP-Negotiate deployed in many Enterprises • B2C Web-SSO a harder problem: – Need standard interfaces – Part of Identity Management problem – HTTP-Negotiate limitations (today) © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 12. Kerberos Support in Web Browsers SPNEGO RFC4559 & RFC4178 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 13. Identity Management • Common architecture in Liberty/SAML2.0 and OpenID • Authentication in Identity Systems © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 14. Identity Management Today • Multiple proposals in the industry: – SAML2.0 (Liberty Alliance) – OpenID – CardSpace/InfoCard – Shibboleth 1.3 (in higher education) • Basic architecture are similar – Service Provider, Identity Provider, Client – Mostly neutral to authentication method used – Assumes password/forms as basic auth method • Issues/factors (lots): – Complexity of backend architecture – Credentials management – Enterprise vs. Consumer market (business case) – Federation & Trust – Lack of large-scale IdP as a trusted third party © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 15. Basic Id Management Architecture © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 16. Kerberos Authentication in SAML2.0 Systems • Interoperability with SAML • Web back-end security • Related work © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 17. SAML2.0 Kerberos Web-Browser SSO • Kerberos Web Browser SSO Profile – Aim: Kerberos authentication within SAML2.0 systems & infrastructure – Draft specification in OASIS • Builds on existing SAML2.0 Web-SSO profile – Assumes User Agent is a Browser with HTTP • Uses HTTP-Negotiate/SPNEGO for authentication – Uses SAML Subject Confirmation method: • IdP issues SAML Assertions • Confirms the SAML attesting entity using Kerberos • Client must prove possession of Kerberos key © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 18. Summary of SAML2.0 Web browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 19. SAML2.0 Kerberos Web-Browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 20. Kerberos Web Browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 21. Other Related Work • TLS support for Kerberos (desirable): • Extend Pre-Shared Key cipher-suites for TLS • TLS key established using Kerberos mechanism exposed as a generic security service via GSS-API • Future effort • Other SAML related work at the MIT-KC: • Kerberos interoperability in WS-Federation systems • Oasis WS-Federation architecture • Kerberos to secure back-end web infrastructure • MIT-KC Whitepaper: • Towards Kerberizing Web Identity and Services http://www.kerberos.org/software/kerbweb.pdf © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 22. Thank You & Questions © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
  • 23. Contact Information The MIT Kerberos Consortium 77 Massachusetts Avenue W92-152 Cambridge, MA 02139 USA Tel: 617.715.2451 Fax: 617.258.3976 Thomas Hardjono Lead Technologist & Strategic Advisor Web: www.kerberos.org MIT Kerberos Consortium Lead Technologist & Strategic Advisor Thomas Hardjono(hardjono@mit.edu) Mobile: +1 781-729-9559 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010