KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University...
11
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman <[email protected]> Bill Doster <[email protected]>
-
Upload
derick-bridges -
Category
Documents
-
view
213 -
download
0
Transcript of KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University...
KX509: Leveraging Kerberos to Obtain Digital Certificates for
Web Client Authentication
University of MichiganKevin Coffman <[email protected]>
Bill Doster <[email protected]>
April 11, 2000 CIC TechForum 2000
Why X.509?
• An accepted international standard
• Application support out of the box– Web servers, web browsers, directory servers,
IMAP servers, etc
• Allows the possibility for inter-institution authentication
• No need for N²-1 cross-realm trusts
April 11, 2000 CIC TechForum 2000
Why Kerberos?
• We have been using Kerberos on campus since 1990
• We have 200K+ principals defined in our Kerberos database
• It’s an integral part of our infrastructure
• It is currently used for authenticating to many services (AFS, dial-in, e-mail, login servers, web pages.)
April 11, 2000 CIC TechForum 2000
Project History(Where We Started From)
• Started with MIT code for issuing certificates
• Shortcomings in the MIT code– Passwords passed to web server
– User interaction required• Obtain certificate
• Maintain and protect private key(s)
– Long-term certificates, ignoring revocation
– Only supported for Netscape Communicator
April 11, 2000 CIC TechForum 2000
Project Goals(What We Are Doing)
• Eliminate password prompts for web access (actually use Kerberos)
• Transparent web authentication– Make certificate generation automatic at Kerberos login
– Make certificate installation invisible to the user
• Browser-neutral, cross-platform
• Position for inter-institution authentication
April 11, 2000 CIC TechForum 2000
Project Non-goals(What We Are NOT Doing)
• Not a complete PKI
• Not to be used for e-mail or document encryption
• Not to be used for e-mail or document signing (not yet, anyway)
• Not a complete replacement of the current cookie method of authentication (not yet, anyway)
April 11, 2000 CIC TechForum 2000
KX509 Description
• Uses short-term (~1 day) certificates -- “junk keys”
• Obtains certificates securely from a kerberized certificate authority (KCA) server
• Used for authentication ONLY!
• Columbia PKCS#11 code
April 11, 2000 CIC TechForum 2000
Why “Junk Keys” ?
• Revocation becomes a non-issue
• Private key storage is less an issue
• The directory isn’t the center of the universe (?)– Certificate management is less critical– Certificate publication for sharing is not
necessary
April 11, 2000 CIC TechForum 2000
The Cookie Trail
April 11, 2000 CIC TechForum 2000
UnmodifiedKerberos “Login”
(kinit , klog ,Kerb95,…)
StandardKerberos
TGT Request
StandardKerberos
Service TicketRequest
Standard HTTPS(with X.509 Client
Authentication)
KX509 Overview
Kerberos Authenticated RequestWith public-key to be certified
X.509 v3 Certificategood for one day
UnmodifiedInternetExplorer
Kerberos Ticket File(plus registry onWindows)
UnmodifiedNetscapeBrowser
TGT
Use TGT to getservice ticket
Store GeneratedRSA key-pair &One-day certificate
Use RSA Key-pair& certificate
ClientWorkstation
KerberizedCertificateAuthority
(KCA)
UnmodifiedKerberos Server
(KDC)
UnmodifiedKerberos Server
(TGS)
Enterprise-WideKerberos Servers
UnmodifiedWeb Servers
Copy of KCA’sPublished Certificate
Enterprise & External Web Servers
login
password
PKCS#11module
kx509
April 11, 2000 CIC TechForum 2000
Demonstration...
