common authentication technologies next generation kitten
play

Common Authentication Technologies Next Generation (Kitten) IETF - PowerPoint PPT Presentation

Dec 21, 2023 •126 likes •621 views

Common Authentication Technologies Next Generation (Kitten) IETF 61 Introduction Welcome Kitten has been approved by the IESG as a new working group Active discussions on the list Progress made on defining the gss- naming

  1. Common Authentication Technologies Next Generation (Kitten) IETF 61

  2. Introduction

  3. Welcome • Kitten has been approved by the IESG as a new working group • Active discussions on the list • Progress made on defining the gss- naming problem; SPNEGO; PRF; and C# bindings • Road map draft published • New mailing list available/archives online

  4. Agenda

  5. Agenda • Introduction and Welcome [5 minutes] • Charter Review [20 minutes] • Pseudo-random function API [5 minutes] • Domain Based Names [10 minutes] • C# Bindings for GSSAPI [10 minutes] • SPNEGO issues [10 minutes] • GSSAPI naming [10 minutes] • Open Floor

  6. Charter Review

  7. Charter (1) • The Generic Security Services API [RFC 2743, RFC 2744] provides an API for applications to set up security contexts and to use these contexts for per-message protection services. The Common Authentication Technology Next Generation Working Group (Kitten) will work on standardizing extensions and improvements to the core GSSAPI specification and language bindings that the IETF believes are necessary based on experience using GSSAPI over the last 10 years. Extensions may be published as separate drafts or included in a GSSAPI version 3. While version 2 of the GSSAPI may be clarified, no backward incompatible changes will be made to this version of the API.

  8. Charter (2) • This working group is chartered to revise the GSSAPI v2 RFCs for the purpose of clarifying areas of ambiguity: – Use of channel bindings – Thread safety restrictions – C Language utilization (e.g., type utilization, name spaces) – Guidelines for GSS-API mechanism designers – Guidelines for GSS-API application protocol designers

  9. Charter (3a) • This working group is chartered to specify a non- backward compatible GSSAPI v3 to support the following extensions: – Clarify the portable use of channel bindings and better specify channel bindings in a language- independent manner. – Specify thread safety extensions to allow multi- threaded applications to use GSSAPI – Definitions of channel bindings for TLS, IPSec, SSH and other cryptographic channels based on work started in the NFSV4 working group.

  10. Charter (3b) – Define a GSSAPI extension to allow applications to store credentials. – Extensions to solve problems posed by the Global Grid Forum's GSSAPI extensions document. – Extensions to deal with mechanism-specific extensibility in a multi-mechanism environment. – Extend the GSS-API to support authorization by portable GSS applications while also supporting mechanisms that do not have a single canonical name for each authentication identity.

  11. Charter (3c) – Specify a Domain-based GSS service principal name consisting of: service name, host name, and domain name for use by application services hosted across multiple servers. – Extensions to support stackable GSSAPI mechanisms. – Define a Psuedo-Random Function for GSSAPI

  12. Charter (4) • This working group is chartered to perform the following GSSAPI mechanism specification work: – Specify a GSSAPI v2/v3 Channel Conjunction Mechanism – Revise RFC 2748 (SPNEGO) to correct problems that make the specification unimplementable and to document the problems found in widely-deployed attempts to implement this spec. – Update the GSSAPI Java Language Bindings to match actual implementation

  13. Charter (5) • This working group is chartered to perform the following new GSSAPI Language Binding specification work: – Specify a language binding for C#

  14. Goals and Milestones (1) Nov 04 First Meeting Mar 05 First drafts of either 'Clarifications to GSSAPIv2' as Informational OR submit 'Generic Security Service Application Program Interface Version 2, Update 2' and 'Generic Security Service API Version 2, Update 2 : C- bindings' to the IESG as Proposed Standard Jul 05 Submit either 'Clarifications to GSSAPIv2' as Informational OR submit 'Generic Security Service Application Program Interface Version 2, Update 2' and 'Generic Security Service API Version 2, Update 2 : C- bindings' to the IESG as Proposed Standard Jul 05 Submit 'The Channel Conjunction Mechanism (CCM) for the GSSAPI' to the IESG as Proposed Standard Jul 05 Submit 'On the Use of Channel Bindings to Secure Channels' to the IESG as Proposed Standard

  15. Goals and Milestones (2) Jul 05 Submit 'The Simple and Protected GSS-API Negotiation Mechanism (Revised)' to the IESG as Proposed Standard Nov 05 Submit 'GSSAPI Mechanisms without a Unique Canonical Name' to the IESG as Proposed Standard Jul 06 Submit 'Generic Security Service Application Program Interface Version 3' to the IESG as Proposed Standard Jul 06 Submit 'Generic Security Service API Version 3 : C-bindings' to the IESG as Proposed Standard Jul 06 Submit 'Generic Security Service API Version 3 : Java and C# bindings' to the IESG as Proposed Standard Nov 06 Charter Review

  16. Mailing List General Discussion: kitten@lists.ietf.org To Subscribe: https://www1.ietf.org/mailman/listinfo/kitten Archive: http://www1.ietf.org/mail- archive/web/kitten/current/index.html

  17. Roadmap • draft-williams-gssapi-v3-guide-to provides a roadmap to the work being done in this group. It will be updated to reflect the current state of the work prior to each IETF meeting

  18. Pseudo-Random Function Nico Williams

  19. GSS-API PRF Extension • Some applications would like a way to get a 'key' from a GSS security context – Dangerous and/or breaks abstractions – Cipher mismatch problems • A PRF based on a key associated with a GSS sec context doesn't suffer from those problems • So: GSS_Pseudo_random().

  20. GSS_Pseudo_random() • Inputs: – Established sec context (not prot_ready) – Variable length octet string – Desired length of output octet string • Outputs: – Major, minor status codes – Octet string

  21. GSS-API PRF Properties • Output octet string is the output of a pseudo- random function (PRF) keyed with key material from the sec context as applied to the input octet string • Calls to GSS_Pseudo_random() by the initiator and acceptor on the same sec context with the same input results in the same output – Apps must be careful, use once per-sec context • Actual PRF algorithm, keying is mech-specific

  22. Kerberos V GSS Mech PRF • Construct PRF+ based on Kerberos V crypto framework PRF – krb5_gss_prf(data, length) = truncate(length, k5prf(0 || data) || k5prf(1 || data) || .. || k5prf(n || data)) • Use acceptor subkey always for new mechanism – Use acceptor or, if there is none, the initiator subkey for old rfc1964 mech • Key usage TBD – Actual key for prf should be derived from context key

  23. GSS/Kerberos PRF I-D Status • Must fold edits in for: – PRF+, not PRF – Actual PRF+ spec for the Kerberos V mechanism • Security considerations • Both I-Ds will soon be ready for WG Last Call • Draft names: – draft-williams-gssapi-prf – draft-williams-krb5-gssapi-prf

  24. Domain Based Names Nico Williams

  25. Domain-Based Naming • Three-part names: <service>, <domain>, <host> • Purpose: To allow for simple validation, by initiators, of acceptors' authority to serve domain-specific resources • New GSS name-type OID (TBD) GSS_C_NT_DOMAINBASED_SERVICE • Generic name syntax: <service>@<domain>@<host>

  26. Domain-Based Naming: Uses • LDAP – Make sure you're talking to an LDAP server that can serve the directory data you care for • NFSv4 – Finding namespace roots • In either case the client may use DNS SRV records to find servers for some domain, but perhaps not DNSSEC – Domain-based naming mitigates for lack of DNSSEC

  27. Domain-Based Naming for the Kerberos V GSS Mechanism • Name form: <service>/<hostname>/<domain>@<REALM> • Realm of domain-based service: – Realm of host, or realm of domain? – If realm of domain, how to find it?

  28. GSS/Kerberos V Domain-Based Naming I-D Status • Must fold edits in for: – Domain name not optional in 'query' name form – Switch order of krb5 princ name components • Security considerations • Both I-Ds will soon be ready for WG Last Call • Draft names: – draft-williams-gssapi-domain-based-names – draft-williams-krb5-gssapi-domain-based-names

  29. C# Bindings Corby Morris Novell

  30. Goals for C# Bindings • Propose a C# binding for GSSAPI that uses a published standard api. The GSSAPI Java bindings as documented in RFC 2853 was a good fit for C#. Therefore the proposal is to simply include the C# binding in this RFC. • Document any C# language specific differences from the existing Java binding. • Keep the C# binding as close to the existing Java binding as possible to reduce documentation, etc.

  31. Extensions to RFC 2853 • New C# assembly namespace: org.ietf.gss • Makes note that all exception codes remain the same as specified in the Java bindings. However, C# does not have a 'throws' statement. Therefore, method prototypes do not include the exception type. There is an example in the draft. • Provide sample C# code. • States that all methods, datatypes & error codes should remain the same as specified in RFC 2853.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
8/6/20 Thank you for being here! TODAY'S LEARNING OBJECTIVES Articulate the kitten challenge

8/6/20 Thank you for being here! TODAY'S LEARNING OBJECTIVES Articulate the kitten challenge

8/6/20 Thank you for being here! TODAY'S LEARNING OBJECTIVES Articulate the kitten challenge in North America. Specifically, what do kittens need from us and how many kittens need it. Identify the most successful kitten management

757 views • 16 slides
Authentication Frequency (and Continuous Authentication) Mike Just Interactive and Trustworthy

Authentication Frequency (and Continuous Authentication) Mike Just Interactive and Trustworthy

Authentication Frequency (and Continuous Authentication) Mike Just Interactive and Trustworthy Technologies Group Glasgow Caledonian University SOUPS 2014 WAY Workshop 9 July 2014 Outline Authentication frequency Continuous

502 views • 12 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Adult Cat and Kitten Fostering Christina Ellwood &amp; Jodi Osborne Foster and Rescue

Adult Cat and Kitten Fostering Christina Ellwood &amp; Jodi Osborne Foster and Rescue

Adult Cat and Kitten Fostering 3/20/18 Adult Cat and Kitten Fostering Christina Ellwood &amp; Jodi Osborne Foster and Rescue Coordinators 3/22/18 Ch Charleston Animal Society: By the numbers Private (county contracted), Open Admission,

461 views • 6 slides
Third Generation PV and Other Ways to Utilize Solar Energy Third Generation PV Technologies Week

Third Generation PV and Other Ways to Utilize Solar Energy Third Generation PV Technologies Week

Third Generation PV and Other Ways to Utilize Solar Energy Third Generation PV Technologies Week 6.1 Arno Smets ` (Source: NASA) Shockley-Queisser limit 100 Other losses Percentage of incident 75 Relaxation light energy Below-bandgap

1.01k views • 33 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in Authentication Workshop (WAY) 2019 Nikita Samarin, Donald Sannella Traditional Passwords Most common mechanism of authenticating users online

251 views • 14 slides
Next Next Generation Sequencing: an overview of Generation Sequencing: an overview of

Next Next Generation Sequencing: an overview of Generation Sequencing: an overview of

Next Next Generation Sequencing: an overview of Generation Sequencing: an overview of technologies and applications technologies and applications Matthew Tinning Australian Genome Research Facility July 2012 History of Sequencing

698 views • 53 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Next Generation Sequencing Technologies What is first generation? Sanger Sequencing DNA

Next Generation Sequencing Technologies What is first generation? Sanger Sequencing DNA

Next Generation Sequencing Technologies What is first generation? Sanger Sequencing DNA Polymerase Base-adding reaction +H +

640 views • 32 slides
Next Generation Sequencing Technologies What is first generation? Sanger Sequencing DNA

Next Generation Sequencing Technologies What is first generation? Sanger Sequencing DNA

Next Generation Sequencing Technologies What is first generation? Sanger Sequencing DNA Polymerase Base-adding reaction +H +

585 views • 43 slides
Normal neonatal kitten ___________________________________ ___________________________________

Normal neonatal kitten ___________________________________ ___________________________________

Critical Care of the Neonatal Kitten March 13, 2014 ___________________________________ ___________________________________

505 views • 16 slides
Project Overview Speech Speech Generation Generation Common Semantic Frame Speech Speech

Project Overview Speech Speech Generation Generation Common Semantic Frame Speech Speech

9807-11 Multilingual Conversational System Research James Glass and Stephanie Seneff Project Overview Speech Speech Generation Generation Common Semantic Frame Speech Speech Understanding Understanding DATABASE Explore

748 views • 3 slides
Web Technologies and Impact Applications Babyboomer after the WWII, generation X late 60s.

Web Technologies and Impact Applications Babyboomer after the WWII, generation X late 60s.

Web Technologies and Impact Applications Babyboomer after the WWII, generation X late 60s. Winter 2001 I have the incline to call the last generation: generation Internet due to the impact on their lives. CMPUT 499: Internet and WWW

380 views • 7 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
On Demand Parametric Array Dataflow Analysis Sven Verdoolaege Hristo Nikolov Todor Stefanov

On Demand Parametric Array Dataflow Analysis Sven Verdoolaege Hristo Nikolov Todor Stefanov

January 21, 2013 1 / 43 On Demand Parametric Array Dataflow Analysis Sven Verdoolaege Hristo Nikolov Todor Stefanov Leiden Institute for Advanced Computer Science Ecole Normale Sup erieure and INRIA January 21, 2013 January 21, 2013

1.24k views • 86 slides
Revisiting Resource Pooling The Case for In-Network Resource Sharing Ioannis Psaras , Lorenzo

Revisiting Resource Pooling The Case for In-Network Resource Sharing Ioannis Psaras , Lorenzo

Revisiting Resource Pooling The Case for In-Network Resource Sharing Ioannis Psaras , Lorenzo Saino, George Pavlou University College London [i.psaras, l.saino, g.pavlou]@ucl.ac.uk Personal Webpage: http://www.ee.ucl.ac.uk/~uceeips/ EPSRC COMIT

430 views • 15 slides
Loading data on demand Thomas Lumley Dept of Biostatistics, University of Washington R Core

Loading data on demand Thomas Lumley Dept of Biostatistics, University of Washington R Core

Loading data on demand Thomas Lumley Dept of Biostatistics, University of Washington R Core Development Team useR Rennes 200979 Integrated database/statistics packages Charlton Heston brings SAS down from Mt Sinai Relational

290 views • 15 slides
Scaph: Scalable GPU-Accelerated Graph Processing with Value-Driven Differential Scheduling Long

Scaph: Scalable GPU-Accelerated Graph Processing with Value-Driven Differential Scheduling Long

Scaph: Scalable GPU-Accelerated Graph Processing with Value-Driven Differential Scheduling Long Zheng 1 , Xianliang Li 1 , Yaohui Zheng 1 , Yu Huang 1 , Xiaofei Liao 1 , Hai Jin 1 , Jingling Xue 1 Zhiyuan Shao 1 , and Qiang-Sheng Hua 1 1 Huazhong

924 views • 28 slides
CSE 331 Generics (Parametric Polymorphism) slides created by Marty Stepp based on materials by

CSE 331 Generics (Parametric Polymorphism) slides created by Marty Stepp based on materials by

CSE 331 Generics (Parametric Polymorphism) slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer, Wikipedia http://www.cs.washington.edu/331/ 1 Parametric polymorphism parametric polymorphism :

429 views • 16 slides
An Overview of ICANN Yaovi Atohoun, Stakeholder Engagement &amp; Operations Manager - Africa

An Overview of ICANN Yaovi Atohoun, Stakeholder Engagement &amp; Operations Manager - Africa

An Overview of ICANN Yaovi Atohoun, Stakeholder Engagement &amp; Operations Manager - Africa Virtual Newcomer Session AFRINIC @AIS2020 11 September 2020 | 1 Agenda ICANN in Brief How the Domain Name System works New

289 views • 27 slides
Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana

Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana

Multi-input Inner-Product Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana Raykova, Yale University Hoeteck Wee, CNRS and ENS Functional Encryption [Boneh, Sahai, Waters 11] m Alice Functional

585 views • 40 slides
Middle-Product Learning with Errors (MP-LWE) and its Hardness Ron Steinfeld Monash University

Middle-Product Learning with Errors (MP-LWE) and its Hardness Ron Steinfeld Monash University

Middle-Product Learning with Errors (MP-LWE) and its Hardness Ron Steinfeld Monash University ron.steinfeld@monash.edu CIS 2019 Winter School based on joint work [RSSS17], [SSZ17], [B+19] (work in progress, in submission) with subsets of: Shi

740 views • 47 slides

More recommend