MIT Kerberos Software Development Roadmap



Similar documents
KERBEROS ROAD MAP SAM HARTMAN MIT KERBEROS CONSORTIUM APRIL 7, 2008

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

How To Use The Gss-Api And Sspi For A Security Reason On A Microsoft Microsoft Server (Or A Microsplatte)

Leverage Active Directory with Kerberos to Eliminate HTTP Password

CA Performance Center

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Remote access. Contents

Kerberos: Single Sign On for BS2000

Security of information systems secure file transfer

Secure PostgreSQL Deployments

Kerberos and Single Sign On with HTTP

Centrify for Web Applications

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

How-to: Single Sign-On

Cross-Realm Trust Interoperability, MIT Kerberos and AD

Mac OS X Directory Services

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Status of Open Source and commercial IPv6 firewall implementations

Using PIV Smart Cards on Linux for Authentication to Windows Active Directory

Avira AntiVir MailGate 3.2 Release Notes

Windows 2000 Deployment Technical Challenges at the University of Colorado at Boulder

v7.8.2 Release Notes for Websense Content Gateway

Kerberos on z/os. Active Directory On Windows Server William Mosley z/os NAS Development. December Interaction with.

Network operating systems typically are used to run computers that act as servers. They provide the capabilities required for network operation.

Single Sign-on (SSO) technologies for the Domino Web Server

A method to Implement the Kerberos User. Authentication and the secured Internet Service

Beginning OpenVPN 2.0.9

Stealing credentials for impersonation

Connecting Web and Kerberos Single Sign On

Microsoft Active Directory and Windows Security Integration with Oracle Database

Guide to SASL, GSSAPI & Kerberos v.6.0

Gladinet Cloud Backup V3.0 User Guide

Red Hat Enterprise IPA Identity & Access Management for Linux and Unix Environments. Dragos Manac

Integration with Active Directory. Jeremy Allison Samba Team

Overview of Recent Developments on Generic Security Services Application Programming Interface

An Open Source Wide-Area Distributed File System. Jeffrey Eric Altman jaltman *at* secure-endpoints *dot* com

Recommended Practices for Deploying & Using Kerberos in Mixed Environments

Single Sign-On for Kerberized Linux and UNIX Applications

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

CAC AND KERBEROS FROM VISION TO REALITY

Functions of NOS Overview of NOS Characteristics Differences Between PC and a NOS Multiuser, Multitasking, and Multiprocessor Systems NOS Server

Kernel Types System Calls. Operating Systems. Autumn 2013 CS4023

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Mobile Security. Policies, Standards, Frameworks, Guidelines

The release notes provide details of enhancements and features in Cloudera ODBC Driver for Impala , as well as the version history.

Nessus Agents. October 2015

Automating Cloud Security with Centrify Express and RightScale

Implementing a Kerberos Single Sign-on Infrastructure

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

How to use PDFlib products with PHP

Active Directory network protocols and traffic

Juniper Networks Secure Access Kerberos Constrained Delegation

Enabling single sign-on for Cognos 8/10 with Active Directory

MetaFrame Presentation Server Security Standards and Deployment Scenarios Including Common Criteria Information

EMC Software Release and Service Dates for NetWorker and NetWorker Modules Last Updated on August 16, 2012

Integrating Red Hat Enterprise Linux 6 with Microsoft Active Directory Presentation

Kerberos and Active Directory symmetric cryptography in practice COSC412

Virtual Private Networks

Active Directory Comapatibility with ExtremeZ-IP A Technical Best Practices Whitepaper

This document contains information about the ElectricAccelerator integration with Kerberos. Topics include: Overview 2.

Integrating Linux systems with Active Directory

CLOUD API DOCUMENTATION v2.0. Get list of cloud servers in account

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

QuickSpecs. HP Library and Tape Tools. Features & Benefits. HP Library and Tape Tools. Overview

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

IBM i Version 7.2. Security Single sign-on

Analysis One Code Desc. Transaction Amount. Fiscal Period

Procase Consulting. APEX 4.1 Introduction. Oleg Mochkin

Kerberos and Single Sign-On with HTTP

Secure Login Issues & Solutions

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Factotum Sep. 23, 2013

Supported Platforms HPE Vertica Analytic Database. Software Version: 7.2.x

System Security Services Daemon

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Kerberos. Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, BC. From Italy (?).

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

Embedded Web Server Security

Verax Service Desk Installation Guide for UNIX and Windows

Preparing Your Business for Magento 2.0

Kerberos Constrained Delegation. Kerberos Constrained Delegation. Feature Description

EMC Software Release and Service Dates for NetWorker and NetWorker Modules Last Updated on February 21, 2013

JBoss Enterprise Middleware. The foundation of your open source middleware reference architecture

BlueCoat s Guide to Authentication V1.0

Single sign-on enabled OpenCms

Introduction. What is Unbound and what is DNSSEC. Installation. Manual for Unbound on Windows. W.C.A. Wijngaards, NLnet Labs, October 2010

Apache Traffic Server Extensible Host Resolution

Active Directory Compatibility with ExtremeZ-IP

(n)code Solutions CA A DIVISION OF GUJARAT NARMADA VALLEY FERTILIZERS COMPANY LIMITED P ROCEDURE F OR D OWNLOADING

Introduction. Connection security

EMC AVAMAR. Deduplication backup software and system. Copyright 2012 EMC Corporation. All rights reserved.

Network Security. Lecture 3

Supported Platforms. HP Vertica Analytic Database. Software Version: 7.0.x

Integrated Authentication

Java Secure Application Manager

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

Transcription:

MIT Kerberos Software Development Roadmap Tom Yu MIT Kerberos Consortium November 3, 2008 www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved.

Overview Timeline Completed krb5-1.7 goals Areas for improvement Process changes Interface change strategy www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 2

Target 18-month cycle krb5-1.7 Branch Jan. 2009 Release Apr. 2009 krb5-1.8 Branch Jul. 2010 Release Oct. 2010 krb5-1.9 Branch Jan. 2012 Release Apr. 2012 Timeline www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 3

Completed krb5-1.7 Goals Enhanced GSS-API error messages Cross-platform CCAPI (Mac and Windows) Kerberos Identity Management (KIM) API www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 4

Areas for Improvement Modularity Credential management End-user experience Administrator experience Performance Protocol evolution Code quality www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 5

Modularity Support readily building subsets (1.8) Lite client Lite server GSS-API: context estab. vs msg. protection e.g. Solaris user/kernel space split Crypto (1.8) Native (accelerated) crypto API support Performance optimizations (caching, etc.) New API design 1.7+ www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 6

Modularity (cont d) GSS-API mechanism glue At least rough form for NTLM support (1.7) Possible refinements later (1.8) KDC Database (long-term) Track IETF data model work New API for 1.8 New implementation for 1.9 Secure co-processor ( would be nice ) www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 7

End-user Experience Enhanced error messages for GSS-API (done) Credential management KIM API (done) Cross-platform CCAPI Done for Mac & Windows UNIX implementation (1.7+) Referrals (1.7) DNS independence via referrals Localization of static error strings (1.7+) www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 8

Administrator Experience Incremental propagation (1.7) Integrated; needs cleanup Improve key rollover Master key (1.7) Application service keys (1.8) Audit support (log all ticket requests) (1.7+) Disable DES by default (1.8) www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 9

Performance Decrease DNS traffic (1.7) Stop trying to crawl up to the root Replay cache ( rcache ) Disable on KDC (1.7) Avoid known false-positive issues Collision avoidance (1.7+) Improve implementation (1.7+) Disable by service type name (1.7+) New crypto API (1.8) facilitates optimizations www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 10

Protocol Evolution Encryption algorithm negotiation (1.7) Microsoft Kerberos extensions (1.7) Improved PKINIT support (1.7) Anonymous PKINIT (1.8) FAST (1.8; IETF) International strings in protocol (1.8+; IETF) Timestamp-independence (1.8, 1.9) Replay-proofing protocols (1.8, 1.9) www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 11

Code Quality Remove krb4 (1.7) Use safer library functions (ongoing) Avoid false positives Avoid need to validate unsafe calls Stop using strcpy, strcat, sprintf, etc. Mostly done New internal APIs for complex operations Reduce commitment to difficult platforms More effectively focus resources www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 12

Mac OS X Supported Platforms Darwin command-line build GNU/Linux (OS family) Currently Debian, Ubuntu, or Red Hat on x86_64 and x86 Solaris (SPARC or x86_64/x86) BSD (OS family) Currently NetBSD on x86_64 and x86 www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 13

Process Changes Streamline project proposal process Community resources Wiki for developers k5wiki.kerberos.org Source browsers OpenGrok, FishEye White papers, tutorials, best practices Incrementally adopt style, review guidelines Improve testing infrastructure Analysis tools Coverity, compiler warnings (static) Valgrind, Purify (runtime) www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 14

Interface Change Strategy Crypto, KDB, etc. Incremental, staged approach Design new interface Upper layer on new interface Implement new interface on top of old New lower layer Compatibility interface on top of new interface If needed www.kerberos.org 2008 The MIT Kerberos Consortium. All Rights Reserved. Nov. 3, 2008 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information