1 / 11

KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication

KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication. University of Michigan Kevin Coffman <kwc@umich.edu> Bill Doster <billdo@umich.edu>. Why X.509?. An accepted international standard Application support out of the box

glenda
Download Presentation

KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman <kwc@umich.edu> Bill Doster <billdo@umich.edu>

  2. Why X.509? • An accepted international standard • Application support out of the box • Web servers, web browsers, directory servers, IMAP servers, etc • Allows the possibility for inter-institution authentication • No need for N²-1 cross-realm trusts CIC TechForum 2000

  3. Why Kerberos? • We have been using Kerberos on campus since 1990 • We have 200K+ principals defined in our Kerberos database • It’s an integral part of our infrastructure • It is currently used for authenticating to many services (AFS, dial-in, e-mail, login servers, web pages.) CIC TechForum 2000

  4. Project History(Where We Started From) • Started with MIT code for issuing certificates • Shortcomings in the MIT code • Passwords passed to web server • User interaction required • Obtain certificate • Maintain and protect private key(s) • Long-term certificates, ignoring revocation • Only supported for Netscape Communicator CIC TechForum 2000

  5. Project Goals(What We Are Doing) • Eliminate password prompts for web access (actually use Kerberos) • Transparent web authentication • Make certificate generation automatic at Kerberos login • Make certificate installation invisible to the user • Browser-neutral, cross-platform • Position for inter-institution authentication CIC TechForum 2000

  6. Project Non-goals(What We Are NOT Doing) • Not a complete PKI • Not to be used for e-mail or document encryption • Not to be used for e-mail or document signing (not yet, anyway) • Not a complete replacement of the current cookie method of authentication (not yet, anyway) CIC TechForum 2000

  7. KX509 Description • Uses short-term (~1 day) certificates -- “junk keys” • Obtains certificates securely from a kerberized certificate authority (KCA) server • Used for authentication ONLY! • Columbia PKCS#11 code CIC TechForum 2000

  8. Why “Junk Keys” ? • Revocation becomes a non-issue • Private key storage is less an issue • The directory isn’t the center of the universe (?) • Certificate management is less critical • Certificate publication for sharing is not necessary CIC TechForum 2000

  9. The Cookie Trail CIC TechForum 2000

  10. KX509 Overview Client Enterprise-Wide Workstation Kerberos Servers Standard Unmodified Kerberos Unmodified login Kerberos “Login” TGT Request Kerberos Server ( kinit , klog , password (KDC) Kerb95,…) Standard Unmodified TGT Kerberos Kerberos Server Service Ticket (TGS) Request Use TGT to get Kerberos Ticket File service ticket Kerberos Authenticated Request (plus registry on Kerberized Windows) With public-key to be certified Certificate kx509 Authority Use RSA Key-pair (KCA) Store Generated X.509 v3 Certificate & certificate RSA key-pair & good for one day One-day certificate PKCS#11 Enterprise & External Web Servers module Standard HTTPS (with X.509 Client Unmodified Authentication) Unmodified Web Servers Unmodified Netscape Internet Browser Explorer · · Copy of KCA’s · Published Certificate CIC TechForum 2000

  11. Demonstration... CIC TechForum 2000

More Related