Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Kx509: Leveraging Kerberos to Obtain Digital Certificates for Web
Transcript
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman <[email protected]> Bill Doster <[email protected]> Why X.509? • An accepted international standard • Application support out of the box – Web servers, web browsers, directory servers, IMAP servers, etc • Allows the possibility for inter-institution authentication • No need for N²-1 cross-realm trusts April 11, 2000 CIC TechForum 2000 Why Kerberos? • We have been using Kerberos on campus since 1990 • We have 200K+ principals defined in our Kerberos database • It’s an integral part of our infrastructure • It is currently used for authenticating to many services (AFS, dial-in, e-mail, login servers, web pages.) April 11, 2000 CIC TechForum 2000 Project History (Where We Started From) • Started with MIT code for issuing certificates • Shortcomings in the MIT code – Passwords passed to web server – User interaction required • Obtain certificate • Maintain and protect private key(s) – Long-term certificates, ignoring revocation – Only supported for Netscape Communicator April 11, 2000 CIC TechForum 2000 Project Goals (What We Are Doing) • Eliminate password prompts for web access (actually use Kerberos) • Transparent web authentication – Make certificate generation automatic at Kerberos login – Make certificate installation invisible to the user • Browser-neutral, cross-platform • Position for inter-institution authentication April 11, 2000 CIC TechForum 2000 Project Non-goals (What We Are NOT Doing) • Not a complete PKI • Not to be used for e-mail or document encryption • Not to be used for e-mail or document signing (not yet, anyway) • Not a complete replacement of the current cookie method of authentication (not yet, anyway) April 11, 2000 CIC TechForum 2000 KX509 Description • Uses short-term (~1 day) certificates -“junk keys” • Obtains certificates securely from a kerberized certificate authority (KCA) server • Used for authentication ONLY! • Columbia PKCS#11 code April 11, 2000 CIC TechForum 2000 Why “Junk Keys” ? • Revocation becomes a non-issue • Private key storage is less an issue • The directory isn’t the center of the universe (?) – Certificate management is less critical – Certificate publication for sharing is not necessary April 11, 2000 CIC TechForum 2000 The Cookie Trail April 11, 2000 CIC TechForum 2000 KX509 Overview Client Workstation Enterprise-Wide Kerberos Servers Unmodified Kerberos “Login” (kinit, klog, Kerb95,…) Standard Kerberos TGT Request login password Standard Kerberos Service Ticket Request TGT Kerberos Ticket File (plus registry on Windows) Use TGT to get service ticket Use RSA Key-pair & certificate PKCS#11 module Unmodified Netscape Browser Unmodified Kerberos Server (KDC) kx509 Unmodified Kerberos Server (TGS) Kerberos Authenticated Request With public-key to be certified Store Generated RSA key-pair & One-day certificate Kerberized Certificate Authority (KCA) X.509 v3 Certificate good for one day Enterprise & External Web Servers Standard HTTPS (with X.509 Client Authentication) Unmodified Internet Explorer Unmodified Web Servers April 11, 2000 CIC TechForum 2000 Copy of KCA’s Published Certificate Demonstration... April 11, 2000 CIC TechForum 2000
