Kerberos + Android: A Tale of Opportunity

Transcript

1. Kerberos + Android A Tale of Opportunity © Copyright 2012

   yaSSL Slide 1 / 39

2. Platform Decisions The Statistics © Copyright 2012 yaSSL Slide 2

   / 39

3. Why Go Mobile? 80% of the world's population now has

   a mobile phone. © Copyright 2012 yaSSL Slide 3 / 39 ( 5 Billion Phones )

4. Why Go Mobile? Of those 80%, are smartphones. © Copyright

   2012 yaSSL 1.08 Billion 21.6% Slide 4 / 39

5. Why Go Mobile? In the US: the ratio is even

   higher, with smartphones making up 40% of all mobile phones. 60% 40% © Copyright 2012 yaSSL Slide 5 / 39

6. OK, well why Android? © Copyright 2012 yaSSL Slide 6

   / 39

7. Android? U.S. Smartphones (40%) © Copyright 2012 yaSSL Android 40%

   iPhone 28% Blackberry 19% Windows Mobile, 7% Other, 5% Windows Phone 7, 1% == Slide 7 / 39 Reason 1: US Market Dominance

8. Android? Reason 2: Consumer Popularity © Copyright 2012 yaSSL • 

   100 million activated Android devices (now 400,000 / day) •  200,000 apps in Android Market (4.5 billion activations to date) •  310 devices available to consumers (112 countries) Slide 8 / 39

9. Android? Reason 3: Developer Popularity © Copyright 2012 yaSSL • 

   450,000 developers building for the platform! Slide 9 / 39

10. Android. Meaning? © Copyright 2012 yaSSL •  Opportunity for increased

    Kerberos visibility •  Useful for Android and Kerberos developers •  Fun to see where the community takes it Slide 10 / 39

11. Our Plan What we wanted to do. © Copyright 2012

    yaSSL Slide 11 / 39

12. Goals We wanted to fill a missing gap. © Copyright

    2012 yaSSL 1.  Port Kerberos libraries to Android 2.  Port some C-based Kerberos client apps to Android kinit klist kvno kdestroy Slide 12 / 39

13. Goals We wanted to spark community involvement. © Copyright 2012

    yaSSL 3.  Build a sample Android NDK App (with a simple GUI) 4.  Give changes back to community Slide 13 / 39

14. Action! What we did. © Copyright 2012 yaSSL Slide 14

    / 39

15. 1. Crypto Implementation © Copyright 2012 yaSSL Slide 15 /

    39

16. Crypto Added new CyaSSL crypto implementation © Copyright 2012 yaSSL

    Slide 16 / 39 •  Kerberos crypto options: CyaSSL, OpenSSL, NSS, built-in

17. Crypto Added new CyaSSL crypto implementation © Copyright 2012 yaSSL

    Slide 17 / 39 •  CyaSSL is very portable

18. 2. Porting © Copyright 2012 yaSSL Slide 18 / 39

19. Android Port Kerberos Libraries + CyaSSL Android. © Copyright 2012

    yaSSL Slide 19 / 39 •  Cross-compiled libraries for Android •  Created shell script for easy reproduction by developers

20. 3. Android Application © Copyright 2012 yaSSL Slide 20 /

    39

21. Android App Simple sample NDK project © Copyright 2012 yaSSL

    Slide 21 / 39 Home Screen •  Single screen •  Uses JNI •  Wrapper around native client apps

22. Android App Simple sample NDK project © Copyright 2012 yaSSL

    Slide 22 / 39 kinit •  Gets a ticket using specified principal

23. Android App Simple sample NDK project © Copyright 2012 yaSSL

    Slide 23 / 39 klist •  Lists our tickets

24. Android App Simple sample NDK project © Copyright 2012 yaSSL

    Slide 24 / 39 kvno •  Gets a service ticket for the entered principal

25. Android App Simple sample NDK project © Copyright 2012 yaSSL

    Slide 25 / 39 klist after kvno •  Verify that we got a ticket

26. Android App Simple sample NDK project © Copyright 2012 yaSSL

    Slide 26 / 39 kdestroy •  Clear our ticket cache

27. Notes •  Uses a keytab instead of passwords •  Storage

    locations have been chosen for convenience Android App © Copyright 2012 yaSSL Slide 27 / 39 Can be easily modified to what the developer needs Currently at /data/local/kerberos

28. License Type •  Application code will remain under the MIT

    license Android App © Copyright 2012 yaSSL Slide 28 / 39

29. 4. GSS-API Wrapper © Copyright 2012 yaSSL Slide 29 /

    39

30. GSS-API Java Wrapper © Copyright 2012 yaSSL Slide 30 /

    39 •  Provide Java bindings for developers to use •  Uses framework •  Wrapper around native Kerberos GSS-API library (Contains functionality found in gssapi.h)

31. GSS-API Java Wrapper © Copyright 2012 yaSSL Slide 31 /

    39 2 example clients: •  Android client functionality •  Stand-alone Java app for desktop use

32. GSS-API Integrated into sample app. © Copyright 2012 yaSSL Slide

    32 / 39 Example Client •  Est. context with example server •  Send wrapped message, verify returned sig. block (gss_wrap, gss_verify_mic) •  Repeat #2, but with gss_seal, gss_verify •  Misc. API tests and exit.

33. GSS-API Integrated into sample app. © Copyright 2012 yaSSL Slide

    33 / 39 Example Server •  Est. context with client •  Receive and unwrap a message from the client •  Generate & send signature block for received message

34. The Future What's happening next? © Copyright 2012 yaSSL Slide

    34 / 39

35. The Future Look to the Community. © Copyright 2012 yaSSL

    Slide 35 / 39 Availability •  Code will be linked from both MIT and yaSSL websites

36. The Future Look to the Community. © Copyright 2012 yaSSL

    Slide 36 / 39 PR Activity / Visibility •  Blog posts •  Forum posts •  Press releases •  GitHub •  Mailing lists •  etc...

37. The Future © Copyright 2012 yaSSL Slide 37 / 39

    Other ideas or thoughts?

38. References © Copyright 2012 yaSSL Slide 38 / 39 Statistics

    •  http://ansonalex.com/infographics/smartphone-usage-statistics-2012-infographic/ •  http://www.go-gulf.com/blog/smartphone •  http://blog.nielsen.com/nielsenwire/online_mobile/40-percent-of-u-s-mobile-users-own-smartphones-40- percent-are-android/ •  Google I/O 2011: http://www.google.com/events/io/2011 Project Locations Kerberos: http://web.mit.edu/kerberos/ CyaSSL: http://www.yassl.com/ •  Android NDK App: https://github.com/cconlon/kerberos-android-ndk •  GSS-API Java Wrapper: https://github.com/cconlon/kerberos-java-gssapi

39. Thanks! © Copyright 2012 yaSSL Slide 39 / 39 www.yassl.com