Kerberos + Android A Tale of Opportunity © Copyright 2012 yaSSL Slide 1 / 39

Platform Decisions The Statistics © Copyright 2012 yaSSL Slide 2 / 39

Why Go Mobile? 80% of the world's population now has a mobile phone. © Copyright 2012 yaSSL Slide 3 / 39 ( 5 Billion Phones )

Why Go Mobile? Of those 80%, are smartphones. © Copyright 2012 yaSSL 1.08 Billion 21.6% Slide 4 / 39

Why Go Mobile? In the US: the ratio is even higher, with smartphones making up 40% of all mobile phones. 60% 40% © Copyright 2012 yaSSL Slide 5 / 39

OK, well why Android? © Copyright 2012 yaSSL Slide 6 / 39

Android? U.S. Smartphones (40%) © Copyright 2012 yaSSL Android 40% iPhone 28% Blackberry 19% Windows Mobile, 7% Other, 5% Windows Phone 7, 1% == Slide 7 / 39 Reason 1: US Market Dominance

Android? Reason 2: Consumer Popularity © Copyright 2012 yaSSL •  100 million activated Android devices (now 400,000 / day) •  200,000 apps in Android Market (4.5 billion activations to date) •  310 devices available to consumers (112 countries) Slide 8 / 39

Android? Reason 3: Developer Popularity © Copyright 2012 yaSSL •  450,000 developers building for the platform! Slide 9 / 39

Android. Meaning? © Copyright 2012 yaSSL •  Opportunity for increased Kerberos visibility •  Useful for Android and Kerberos developers •  Fun to see where the community takes it Slide 10 / 39

Our Plan What we wanted to do. © Copyright 2012 yaSSL Slide 11 / 39

Goals We wanted to fill a missing gap. © Copyright 2012 yaSSL 1.  Port Kerberos libraries to Android 2.  Port some C-based Kerberos client apps to Android kinit klist kvno kdestroy Slide 12 / 39

Goals We wanted to spark community involvement. © Copyright 2012 yaSSL 3.  Build a sample Android NDK App (with a simple GUI) 4.  Give changes back to community Slide 13 / 39

Action! What we did. © Copyright 2012 yaSSL Slide 14 / 39

1. Crypto Implementation © Copyright 2012 yaSSL Slide 15 / 39

Crypto Added new CyaSSL crypto implementation © Copyright 2012 yaSSL Slide 16 / 39 •  Kerberos crypto options: CyaSSL, OpenSSL, NSS, built-in

Crypto Added new CyaSSL crypto implementation © Copyright 2012 yaSSL Slide 17 / 39 •  CyaSSL is very portable

2. Porting © Copyright 2012 yaSSL Slide 18 / 39

Android Port Kerberos Libraries + CyaSSL Android. © Copyright 2012 yaSSL Slide 19 / 39 •  Cross-compiled libraries for Android •  Created shell script for easy reproduction by developers

3. Android Application © Copyright 2012 yaSSL Slide 20 / 39

Android App Simple sample NDK project © Copyright 2012 yaSSL Slide 21 / 39 Home Screen •  Single screen •  Uses JNI •  Wrapper around native client apps

Android App Simple sample NDK project © Copyright 2012 yaSSL Slide 22 / 39 kinit •  Gets a ticket using specified principal

Android App Simple sample NDK project © Copyright 2012 yaSSL Slide 23 / 39 klist •  Lists our tickets

Android App Simple sample NDK project © Copyright 2012 yaSSL Slide 24 / 39 kvno •  Gets a service ticket for the entered principal

Android App Simple sample NDK project © Copyright 2012 yaSSL Slide 25 / 39 klist after kvno •  Verify that we got a ticket

Android App Simple sample NDK project © Copyright 2012 yaSSL Slide 26 / 39 kdestroy •  Clear our ticket cache

Notes •  Uses a keytab instead of passwords •  Storage locations have been chosen for convenience Android App © Copyright 2012 yaSSL Slide 27 / 39 Can be easily modified to what the developer needs Currently at /data/local/kerberos

License Type •  Application code will remain under the MIT license Android App © Copyright 2012 yaSSL Slide 28 / 39

4. GSS-API Wrapper © Copyright 2012 yaSSL Slide 29 / 39

GSS-API Java Wrapper © Copyright 2012 yaSSL Slide 30 / 39 •  Provide Java bindings for developers to use •  Uses framework •  Wrapper around native Kerberos GSS-API library (Contains functionality found in gssapi.h)

GSS-API Java Wrapper © Copyright 2012 yaSSL Slide 31 / 39 2 example clients: •  Android client functionality •  Stand-alone Java app for desktop use

GSS-API Integrated into sample app. © Copyright 2012 yaSSL Slide 32 / 39 Example Client •  Est. context with example server •  Send wrapped message, verify returned sig. block (gss_wrap, gss_verify_mic) •  Repeat #2, but with gss_seal, gss_verify •  Misc. API tests and exit.

GSS-API Integrated into sample app. © Copyright 2012 yaSSL Slide 33 / 39 Example Server •  Est. context with client •  Receive and unwrap a message from the client •  Generate & send signature block for received message

The Future What's happening next? © Copyright 2012 yaSSL Slide 34 / 39

The Future Look to the Community. © Copyright 2012 yaSSL Slide 35 / 39 Availability •  Code will be linked from both MIT and yaSSL websites

The Future Look to the Community. © Copyright 2012 yaSSL Slide 36 / 39 PR Activity / Visibility •  Blog posts •  Forum posts •  Press releases •  GitHub •  Mailing lists •  etc...

The Future © Copyright 2012 yaSSL Slide 37 / 39 Other ideas or thoughts?

References © Copyright 2012 yaSSL Slide 38 / 39 Statistics •  http://ansonalex.com/infographics/smartphone-usage-statistics-2012-infographic/ •  http://www.go-gulf.com/blog/smartphone •  http://blog.nielsen.com/nielsenwire/online_mobile/40-percent-of-u-s-mobile-users-own-smartphones-40- percent-are-android/ •  Google I/O 2011: http://www.google.com/events/io/2011 Project Locations Kerberos: http://web.mit.edu/kerberos/ CyaSSL: http://www.yassl.com/ •  Android NDK App: https://github.com/cconlon/kerberos-android-ndk •  GSS-API Java Wrapper: https://github.com/cconlon/kerberos-java-gssapi

Thanks! © Copyright 2012 yaSSL Slide 39 / 39 www.yassl.com