OpenAFS logo

June 1-5, 2009

Stanford University

Wednesday 3 June 9:00am

Location: Old Union - Clubhouse

Speaker: Roland Dowdeswell (Morgan Stanley)

Title: Daredevil Kerberos: How to make a Financial Institution Jump Over 40 Security Vans


Deploying and maintaining Kerberos in a large scale financial institution, or more generally any enterprise, presents challenges that many other deployments do not have.  This keynote will discuss many of those challenges and how to overcome them.  We will also cover some outstanding challenges and put some ideas forward for consideration.

At a large financial institution, the number of computers in the environment and the sheer quantity of deployed software makes even small changes to the infrastructure likely to run into unforeseen issues.  Vendors do not always provide Kerberos support for their applications and those that do frequently require the use of specific Kerberos library versions. Some vendors provide their own Kerberos implementation that behave in subtly or not so subtly different ways.  Upgrading between versions of Kerberos can be problematic as ABI compatibility has not traditionally been maintained.  Couple these facts with the expectation that the infrastructure provides continuous and uninterrupted availability and you have a recipe for an interesting challenge.  We will discuss some of the constraints and some steps that can be taken to mitigate the issues.

Keeping up to date with current best practices in security requires constant vigilance.  We will discuss how older libraries (Kerberos IV) can be removed from your environment and discuss methods to move from legacy ciphers (DES and RC4) to strong cryptography (AES).  Theoretically, this is quite straight-forward but once you accept the constraints of having to maintain an enormous production environment where interruptions of service are unacceptable the problem becomes substantially more interesting.

The Kerberos administration tools that are distributed by MIT are in general insufficient for the enterprise.  Access Control policies are too anemic to express the constraints that an enterprise should impose.  Key management techniques suffer from race conditions in key rotation which make institution of weekly key rotation unacceptably risky.  We will discuss how to resolve these issues using recently developed open source tools which will be made available by their authors during the conference.

The keynote will end with a discussion of the future direction of Kerberos.  There are many issues left to be resolved including but not limited to: proper support for HTTP; allowing Hardware Secure Modules to be used to improve physical security of KDCs; improving resilience to dictionary attacks by implementing EKE; and providing better support for application vendors who do not yet use Kerberos.


RRoland Dowdeswell received a BS in Mathematics from Indiana University in 1995 before doing some graduate work at both Indiana University and Cambridge.  After leaving university, he began consulting which quickly turned into co-founding an internet startup at around the same time that everyone else was doing it called Ponte Communications, Inc.  It was at this time that he started using Kerberos at home as managing six users on eleven machines proved to be too time intensive.  When 2002 occurred, he went back to security consulting for financial firms including Morgan Stanley.  In 2005, he joined Morgan Stanley's Security Engineering team.  He can be contacted at elric at imrryr dot org.

Slides: PDF