Suche senden
Hochladen
The Role of Kerberos in Identity Mgmt
•
5 gefällt mir
•
1,544 views
ISACA New England
Folgen
Technologie
Melden
Teilen
Melden
Teilen
1 von 23
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
datacentersummit
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Sumit Gupta
Cloud computingjun28
Cloud computingjun28
Abhishek Thakur
Cloud computingjun28
Cloud computingjun28
korusamol
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon sattelite
Nov Matake
Eb07 Day Communiqué Web Content Management En
Eb07 Day Communiqué Web Content Management En
Valtech
What's new in Exchange 2013?
What's new in Exchange 2013?
Microsoft TechNet - Belgium and Luxembourg
JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010
David Nuescheler
Empfohlen
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
Daniel cornejo cisco. centros de datos unificados y su evolución hacia la nub...
datacentersummit
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Sumit Gupta
Cloud computingjun28
Cloud computingjun28
Abhishek Thakur
Cloud computingjun28
Cloud computingjun28
korusamol
MIT-KIT Intro at #idcon sattelite
MIT-KIT Intro at #idcon sattelite
Nov Matake
Eb07 Day Communiqué Web Content Management En
Eb07 Day Communiqué Web Content Management En
Valtech
What's new in Exchange 2013?
What's new in Exchange 2013?
Microsoft TechNet - Belgium and Luxembourg
JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010
David Nuescheler
14 577
14 577
Chaitanya Ram
OpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, Cisco
ramdurairaj
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew Tucker
Lew Tucker
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Microsoft TechNet - Belgium and Luxembourg
Antivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizados
Nextel S.A.
Agile Edge Valtech
Agile Edge Valtech
David Nuescheler
Web Content Management And Agile
Web Content Management And Agile
Valtech UK
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009
Gerardo Pardo-Castellote
Day1 Forrester Cloud Presentation
Day1 Forrester Cloud Presentation
ErwinTheunissen
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)
Shumon Huque
Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011
IndicThreads
利用K8S實現高可靠應用
利用K8S實現高可靠應用
inwin stack
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...
Kim Clark
Triangle OpenStack Meetup
Triangle OpenStack Meetup
mestery
Simplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project Zero
Shawn Zhu
Cloud computing
Cloud computing
Ashish Mishra
Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus
WSO2
Deduplication and single instance storage
Deduplication and single instance storage
Interop
Cloud & The Mobile Stack
Cloud & The Mobile Stack
Subbu Ramanathan
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
mestery
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
soniya singh
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
Weitere ähnliche Inhalte
Ähnlich wie The Role of Kerberos in Identity Mgmt
14 577
14 577
Chaitanya Ram
OpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, Cisco
ramdurairaj
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew Tucker
Lew Tucker
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Microsoft TechNet - Belgium and Luxembourg
Antivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizados
Nextel S.A.
Agile Edge Valtech
Agile Edge Valtech
David Nuescheler
Web Content Management And Agile
Web Content Management And Agile
Valtech UK
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009
Gerardo Pardo-Castellote
Day1 Forrester Cloud Presentation
Day1 Forrester Cloud Presentation
ErwinTheunissen
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)
Shumon Huque
Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011
IndicThreads
利用K8S實現高可靠應用
利用K8S實現高可靠應用
inwin stack
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...
Kim Clark
Triangle OpenStack Meetup
Triangle OpenStack Meetup
mestery
Simplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project Zero
Shawn Zhu
Cloud computing
Cloud computing
Ashish Mishra
Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus
WSO2
Deduplication and single instance storage
Deduplication and single instance storage
Interop
Cloud & The Mobile Stack
Cloud & The Mobile Stack
Subbu Ramanathan
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
mestery
Ähnlich wie The Role of Kerberos in Identity Mgmt
(20)
14 577
14 577
OpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack- The Time is Now - Lew Tucker, Cisco
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew Tucker
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Exchange 2013 ABC's: Architecture, Best Practices and Client Access
Antivirus específicos para entornos virtualizados
Antivirus específicos para entornos virtualizados
Agile Edge Valtech
Agile Edge Valtech
Web Content Management And Agile
Web Content Management And Agile
OMG Data-Distribution Service (DDS) Tutorial - 2009
OMG Data-Distribution Service (DDS) Tutorial - 2009
Day1 Forrester Cloud Presentation
Day1 Forrester Cloud Presentation
Kerberos at Penn (MIT Kerberos Consortium)
Kerberos at Penn (MIT Kerberos Consortium)
Inaugural address manjusha - Indicthreads cloud computing conference 2011
Inaugural address manjusha - Indicthreads cloud computing conference 2011
利用K8S實現高可靠應用
利用K8S實現高可靠應用
Microservices: Where do they fit within a rapidly evolving integration archit...
Microservices: Where do they fit within a rapidly evolving integration archit...
Triangle OpenStack Meetup
Triangle OpenStack Meetup
Simplified Web2.0 application development with Project Zero
Simplified Web2.0 application development with Project Zero
Cloud computing
Cloud computing
Enterprise Use Case - Selecting an Enterprise Service Bus
Enterprise Use Case - Selecting an Enterprise Service Bus
Deduplication and single instance storage
Deduplication and single instance storage
Cloud & The Mobile Stack
Cloud & The Mobile Stack
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
Kürzlich hochgeladen
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
soniya singh
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
LBM Solutions
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
ThousandEyes
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Kürzlich hochgeladen
(20)
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
The Role of Kerberos in Identity Mgmt
1.
The Role of
Kerberos in Identity Management Thomas Hardjono MIT Kerberos Consortium ISSA New England 26 January, 2010 www.kerberos.org © 2007-2010 The MIT Kerberos Consortium. All Rights Reserved.
2.
Introductions & Background
• Kerberos v5 (RFC 4210) • MIT Kerberos Consortium • Release 1.7 & 1.8 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
3.
A Brief History
of Kerberos Kerberos was developed as the Authentication engine for MIT’s Project Athena in 1983, became IETF standard in 1993 MIT’s release of Kerberos as open source in 1987 led to rapid adoption by numerous organizations Kerberos now ships standard with all major operating systems Apple, Red Hat, Microsoft, Sun, Ubuntu Serves tens of millions of enterprise end users users at large organizations. Microsoft has been using Kerberos as the default authentication package since Windows 2000” Kerberos has been hugely successful © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
4.
Kerberos V5 Overview
© 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
5.
Kerberos Consortium: Goals •
Provide leadership to the world community • Establish Kerberos as a universal authentication mechanism. • Make Kerberos appropriate for new environments. • Enable Kerberos across a plethora of endpoints. • Help developers integrate Kerberos. © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
6.
Kerberos Consortium Apple
MIT Carnegie Mellon PistolStar Centrify Corporation Michigan State Cornell NASA The United States Pennsylvania State Department of Defense Stanford Duke University Sun Microsystems Red Hat TeamF1, Inc. Iowa State Google Microsoft University of Michigan © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
7.
Kerberos Rel 1.7
– June 2009 • Incremental propagation support • Removal of krb4 code • Kerberos Identity Management (KIM) API • Improved master key rollover / service key rollover • Enhanced error messages for GSS-API • Cross-platform CCAPI Windows • Collision avoidance for replay cache • FAST (pre-authentication) • Implement MS protocol extensions • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
8.
Kerberos Rel 1.8
– March 2010 • Test-driven coding environment & code quality • Crypto modularity (cf. FIPS-140) • Improved API for authorization data • Support for service principal referrals • Disable single-DES by default • Improved enctype configuration • Lockout for repeated login failures • Trace logging for easier troubleshooting • FAST negotiation for ease of migration • Anonymous PKINIT - easier host key establish. • Services4User (S4U) enhancements in GSSAPI • Others © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
9.
Kerberos Today
• Enterprise,B2B, B2C • Kerberos & Identity Infrastructure © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
10.
Intra-Enterprise Kerberos • Large
presence of Kerberos in Enterprise space – AD, “AD-Clones”, MIT code base, Sun, Intel AMT • Desire to re-use Kerberos infra for web security – Increase security of web logins • Address authentication in Web-SSO – Simplification of security management • Require Kerberos integration into web systems – Web-services typically already a separate infrastructure – Kerberos administration must also be integrated into web systems – Unified management of infrastructures © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
11.
Kerberos for B2C
& B2E Security • Forms/SSL primary authentication method: – Passwords, HTML Forms, no client certs – HTTP-Negotiate underutilized • Limitations to current version of HTTP-Nego/SPNEGO • B2E Web-SSO needs strong access control: – Intra-network services& business access only • Locally-scoped identities – HTTP-Negotiate deployed in many Enterprises • B2C Web-SSO a harder problem: – Need standard interfaces – Part of Identity Management problem – HTTP-Negotiate limitations (today) © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
12.
Kerberos Support in
Web Browsers SPNEGO RFC4559 & RFC4178 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
13.
Identity Management
• Common architecture in Liberty/SAML2.0 and OpenID • Authentication in Identity Systems © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
14.
Identity Management Today •
Multiple proposals in the industry: – SAML2.0 (Liberty Alliance) – OpenID – CardSpace/InfoCard – Shibboleth 1.3 (in higher education) • Basic architecture are similar – Service Provider, Identity Provider, Client – Mostly neutral to authentication method used – Assumes password/forms as basic auth method • Issues/factors (lots): – Complexity of backend architecture – Credentials management – Enterprise vs. Consumer market (business case) – Federation & Trust – Lack of large-scale IdP as a trusted third party © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
15.
Basic Id Management
Architecture © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
16.
Kerberos Authentication in
SAML2.0 Systems • Interoperability with SAML • Web back-end security • Related work © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
17.
SAML2.0 Kerberos Web-Browser
SSO • Kerberos Web Browser SSO Profile – Aim: Kerberos authentication within SAML2.0 systems & infrastructure – Draft specification in OASIS • Builds on existing SAML2.0 Web-SSO profile – Assumes User Agent is a Browser with HTTP • Uses HTTP-Negotiate/SPNEGO for authentication – Uses SAML Subject Confirmation method: • IdP issues SAML Assertions • Confirms the SAML attesting entity using Kerberos • Client must prove possession of Kerberos key © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
18.
Summary of SAML2.0
Web browser SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
19.
SAML2.0 Kerberos Web-Browser
SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
20.
Kerberos Web Browser
SSO © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
21.
Other Related Work •
TLS support for Kerberos (desirable): • Extend Pre-Shared Key cipher-suites for TLS • TLS key established using Kerberos mechanism exposed as a generic security service via GSS-API • Future effort • Other SAML related work at the MIT-KC: • Kerberos interoperability in WS-Federation systems • Oasis WS-Federation architecture • Kerberos to secure back-end web infrastructure • MIT-KC Whitepaper: • Towards Kerberizing Web Identity and Services http://www.kerberos.org/software/kerbweb.pdf © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
22.
Thank You &
Questions © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
23.
Contact Information
The MIT Kerberos Consortium 77 Massachusetts Avenue W92-152 Cambridge, MA 02139 USA Tel: 617.715.2451 Fax: 617.258.3976 Thomas Hardjono Lead Technologist & Strategic Advisor Web: www.kerberos.org MIT Kerberos Consortium Lead Technologist & Strategic Advisor Thomas Hardjono(hardjono@mit.edu) Mobile: +1 781-729-9559 © 2009 The MIT Kerberos Consortium. All Rights Reserved. www.kerberos.org 26 Jan 2010
Jetzt herunterladen