Kerberos Revisited Quantum-Safe Authentication

Similar documents
KEY DISTRIBUTION AND USER AUTHENTICATION

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Network Security Essentials

Kerberos on the Web Thomas Hardjono

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Liferay Security Features Overview. How Liferay Approaches Security

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Kerberos for the Web Current State and Leverage Points

Security+ SY0-501 Study Guide Table of Contents

Smart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder

Singapore s National Digital Identity (NDI):

How Formal Analysis and Verification Add Security to Blockchain-based Systems

Fall 2010/Lecture 32 1

U.S. E-Authentication Interoperability Lab Engineer

Echidna Concepts Guide

The Identity Web An Overview of XNS and the OASIS XRI TC

Security Strategy for Mobile ID GSMA Mobile Connect Summit

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Dell One Identity Cloud Access Manager 8.0. Overview

Identity Provider for SAP Single Sign-On and SAP Identity Management

The Open Application Platform for Secure Elements.

CS530 Authentication

1. Federation Participant Information DRAFT

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Axway Validation Authority Suite

Internet of Things Security standards

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

SAP Single Sign-On 2.0 Overview Presentation

Better Mutual Authentication Project

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

SAML-Based SSO Solution

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Public Key Infrastructure

Warm Up to Identity Protocol Soup

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

MarkLogic Server. Common Criteria Evaluated Configuration Guide. MarkLogic 9 May, Copyright 2019 MarkLogic Corporation. All rights reserved.

SECURITY & PRIVACY DOCUMENTATION

Keep your fingers off my keys today & tomorrow

Who s Protecting Your Keys? August 2018

Smart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Federated Identity Management and Network Virtualization

PKI and FICAM Overview and Outlook

Access Manager 4.2 Service Pack 1 (4.2.1) supersedes Access Manager 4.2.

GSS-REST, a Proposed Method for HTTP Application-Layer Authentication

CPSC 467b: Cryptography and Computer Security

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Identity as a Platform Service

XenApp 5 Security Standards and Deployment Scenarios

The Identity-Based Encryption Advantage

Copy-Resistant Credentials with Minimum Information Disclosure

Federated Authentication for E-Infrastructures

Mobile Devices prioritize User Experience

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Session key establishment protocols

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Session key establishment protocols

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Security for Wireless Handhelds

PKI is Alive and Well: The Symantec Managed PKI Service

IBM Tivoli Federated Identity Manager Version Installation Guide GC

GSI Online Credential Retrieval Requirements. Jim Basney

Cloud Access Manager Overview

National Identity Exchange Federation. Terminology Reference. Version 1.0

Biometrics. Overview of Authentication

FIDO AND PAYMENTS AUTHENTICATION. Philip Andreae Vice President Oberthur Technologies

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Identity-Enabled Web Services

Implementing Security in Windows 2003 Network (70-299)

Cryptography and Network Security

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Dyadic Security Enterprise Key Management

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

WHY CSRF WORKS. Implicit authentication by Web browsers

IBM Tivoli Directory Server

Using the MyProxy Online Credential Repository

SELF SERVICE INTERFACE CODE OF CONNECTION

The Smart Grid Security Innovation Alliance. John Reynolds October 26, 2011 Cambridge, Massachusetts

SAP Security in a Hybrid World. Kiran Kola

SSO Integration Overview

Access Manager 4.2 Service Pack 5 (4.2.5) supersedes Access Manager 4.2 Service Pack 4.

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

ISO/IEC INTERNATIONAL STANDARD

Executive Summary. (The Abridged Version of The White Paper) BLOCKCHAIN OF THINGS, INC. A Delaware Corporation

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Spotfire Security. Peter McKinnis July 2017

review of the potential methods

Introduction of the Identity Assurance Framework. Defining the framework and its goals

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Client Certificates Are Going Away

Transcription:

Kerberos Revisited Quantum-Safe Authentication M. Campagna (mcampagna@gmail.com), T. Hardjono (MIT), L. Pintsov (Pitney Bowes), B. Romansky (Pitney Bowes) and T. Yu (MIT) ETSI Quantum-Safe-Crypto Workshop September 26, 2013 September 15, 2013 PBI Internal use only 1 1

Participants The Mission of the MIT-Kerberos and Internet Trust Consortium (MIT-KIT) is to develop the basic building blocks for the Internet s emerging personal data ecosystem in which people, organizations, and computers can manage access to their data more efficiently and equitably. Pitney Bowes is a provider of cryptographically secure payment and data management systems to worldwide postal and logistics community. Pitney Bowes developed, built and operates a broad information security infrastructure supporting over 2M users worldwide. September 15, 2013 PBI Internal use only 2 2

Motivation Quantum computing field is 20 years old Significant theoretical progress (Shor s results, error-correction threshold theorem) Meaningful experimental progress 5 qubit to 128 or even 439 qubit (D-Wave computer, although it does not make use of entanglement) It is not unreasonable to assume that working quantum computer may become a reality in the foreseeable future Classic public key algorithms that are based on hardness of factorization and discrete logarithm problems may become vulnerable A good symmetric key based-system may prove to be very beneficial in many applications MIT-KIT, M. Campagna and Pitney Bowes have common research interest in investigation, development and test of a broadly scalable quantum-safe solutions for Identity and Access Management September 15, 2013 PBI Internal use only 3 3

Kerberos Models Authentication Service Provider User s Authentication Service Provider Session Token Fequest/Response 1 2 Authentication Request / Response 3 Tickent Request / Response 4 Web Service acting as a Kerberos Application Server 1 2 Authentication Request / Response 3 Tickent Request / Response 4 8 7 Web Service Authentication Service Provider 6 Session Token Fequest/Response 9 5 Application Request / Response 6 Service Request with ticket 5 Web user requesting access to a service Web user requesting access to a service 10 Secure Session Web Service Provider Single- Provider Model Cross- Realm Federated Model September 15, 2013 PBI Internal use only 4 4

Requirements Quantum Safe Support Authentication and Federated Identity System Deployable on an internet scale every user, multiple devices, multiple providers, Establish secure communications to remote servers/networks (must enable traditional security services: authenticity, integrity and secrecy and non-repudiation of message content) Designed for Usability Accessibility, convenience, intuitiveness Optimum balance between security and usability September 15, 2013 PBI Internal use only 5 5

Kerberos Challenges Development Need good APIs and tools to enable developers to build on the existing Kerberos system Federation Service providers should be enabled to integrate technology into their offering to establish a chain of trust Enrollment Must be efficient, secure, and convenient for the end users Administration Must be efficient, secure, and operable at scale September 15, 2013 PBI Internal use only 6 6

Development and Implementation Need a RESTful services API that give access to the Kerberos protocol Enable access to Kerberos without going through GSSAPI Software, tools, integration, and deployment Example: model after OpenSSL or other popular web implementations Develop tools with application development and specific use cases in mind September 15, 2013 PBI Internal use only 7 7

Current Web Services Access Protocol Browser SPNEGO- based Kerberos and NTLM HTTP Authen?ca?on SAML token Iden?ty Provider (MicrosoF Ac?ve Directory) SAML token Kerberos Protocol Secure Session Web Service OS Creden?al Store September 15, 2013 PBI Internal use only 8 8

Kerberos-Based Service Access Protocol Browser 1 Auth Request 2 Auth Response Front- End Server KDC Kerberos Service 3 Ticket Request 4 Ticket Web Service Java Script September 15, 2013 PBI Internal use only 9 9

Enrollment Provision a long-term symmetric key that is not password derived (for each user, and possibly each device) Strongly random and securely distributed and installed Options Use existing relationship between end users and commercial establishments (employers, banks, etc.) Device based pre-installed keys Keys to be issued by a device manufacturer or a carrier at time that device is manufactured or delivered. Root of trust for each device starts with the manufacturer or carrier Financial arrangement with a primary user establishes the identity of the accountable user users may delegate their rights on their device to others (i.e. the accountable user could become the RA ) Retail channels to acquire credentials Postal Infrastructure Retail Kiosks Social PGP-like model (peer to peer chain of trust) Quantum Key Distribution ComDev/IQC proposal for quantum key distribution via microsatellites September 15, 2013 PBI Internal use only 10

Federation Need a critical mass of KDC and AS operators Every user must have a relationship with one or more provider and they must trust the provider to manage their identity They need to do cross-realm authentication Standard contracts to establish legal trust NSTIC process may provide templates Need for an accreditation and audit protocol and authority Establishing federation today is harder than it ought to be September 15, 2013 PBI Internal use only 11

Administration Physical (hardware) security can improve trust in providers Time synchronization issues Dealing with compromise or loss of user credentials Compromise of a KDC Need to continue operations and recover Consumers will likely require multiple authentication services providers September 15, 2013 PBI Internal use only 12

Stack model view of cryptographic standards Mobility 3GPP ETSI ATIS Internet IETF W3C... M2M ZigBee IPSO ISA Vehicle DoT IEEE ITS/ETSI Cryptographic standards have wide applicability across many industry spaces Most influen?al specifica?ons have the widest adop?on e.g. FIPS/NIST SP CORE CRYPTOGRAPHIC STANDARDS Crypto consor?ums (PKCS/SECG) ISO/ITU IEEE/escrypt ANSI X9 F1 FIPS/NIST SP Ver?cal markets generally adopt from specific core standards Adop?on requires that specs are freely available and?mely September 15, 2013 PBI Internal use only 13

Role of Standards For any wide-spread quantum-safe solution: Cryptographic primitives need to be widely accepted by international and national standards bodies, like FIPS, ANSI and ISO; Higher level protocols and use cases need to be specified in IEEE, IETF and other application-specific standards bodies. Current advantages of Kerberos: Kerberos is already accepted as a trusted and tested protocol which is agile to the underlying cryptographic primitives; Already integrated in every major platform; Uses widely adopted and tested cryptographic primitives, and specified in higher level protocols Standardization Process Primitives ANSI / NIST Algorithms IETF / IEEE September 15, 2013 PBI Internal use only 14

Infrastructure requirements Virtual environments make it difficult to ensure trust Hardware Security Module or Virtual Trusted Platform Module technology may be needed Concept segment the KDC architecture and create a secure co-processor that provides crypto-acceleration and secure key storage Need a spectrum of solutions that make different trade-offs on scale and trust Need to define metrics to describe the security levels and make users aware of the meaning of the different levels September 15, 2013 PBI Internal use only 15

Digital Signatures and Non-Repudiation Digital signatures require a third party notary service provider Verification must be done online Existing symmetric-key digital signatures have potential, but are not efficient Example: Lamport-Merkle scheme September 15, 2013 PBI Internal use only 16

September 15, 2013 PBI Internal use only 17

Conclusion There is nothing inherent in the Kerberos protocol that prohibits use in a wide-scale, federated deployment Standards are critical for wide scale implementation Integration of Kerberos with web services and internet applications Federation, certification, and auditing standards for service providers Template agreements to initiate trust relationships Maintenance of both open source (with a permissive license) and commercial implementations could support expedited integration and adoption We identified and sketched major challenges to adoption of the Kerberos-based system into deployable Internet scale authentication system September 15, 2013 PBI Internal use only 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback