Kerberos Leveraged PKI (K-PKI) leverages an existing
Kerberos
infrastructure to provide a lightweight Public Key Infrastructure (PKI).
kx509 and kca are part of the National Science Foundation Middleware
Initiative (NMI) EDIT software release.
Get the CITI Production KCA Certificate
here!
(NEW! as of October 13, 2006)
Components
There are five major components to K-PKI:
kx509 and KCA
kx509 is a standalone client program that acquires a short-term
X.509
certificate (junk key) from the KCA
for a Kerberos-authenticated user.
It stores the certificate in the local user's Kerberos ticket file.
The certificate can later be used by COTS web browsers and other
PKI-aware applications via the kpkcs11 library (see below).
KCA is the Kerberized server that generates the certificates.
It runs on a secure server.
The latest kx509/KCA source is now available on
SourceForge
with CVS instructions here.
kpkcs11
kpkcs11 is a shared library that exports the
PKCS#11
interface.
It uses the certificates stored in the user's Kerberos ticket file by
the kx509 client program.
It typically is loaded by a COTS web browser, but can be used by any
PKCS#11 client.
The latest kpkcs11 source is now available on
SourceForge
with CVS instructions here.
KCT and mod_KCT
mod_KCT is an
Apache
web server module that acquires a Kerberos service ticket
from the KCT on behalf of an
SSL authenticated user.
The web server can then act as a Kerberos client on the user's behalf.
KCT runs on the same machine that runs the KDC.
It accepts user certificates via SSL from mod_KCT and returns a Kerberos service ticket.
It uses the
OpenSSL
toolkit. (This code assumes OpenSSL version 0.9.7 or later.)
Downloads
Readme file (Last update - December 10, 2001)
kx509.tar.gz (Last update - November 11, 2003)
kpkcs11.tar.gz (Last update - November 13, 2003)
mod_kct.gz (Last update - October 24, 2005)
kct.tar.gz (Last update - October 24, 2005)
Change Log
October 24, 2005 (mod_kct/kct updates)
mod_kct changes:
- Now configurable via httpd.conf file so that user authentication
may be required for the entire server, or on a directory-by-directory
basis.
- Updated to "version 2" such that multiple service tickets can
be requested in a single request and a desired lifetime can be
specified for each ticket.
kct changes:
- Miscellaneous bug fixes.
- Handle service names with instances correctly
- Updated to "version 2" such that multiple service tickets can
be requested in a single request and a desired lifetime can be
specified for each ticket.
- Added renewal service. (More to come on this.)
- Updated configuration processing so configuration options are
processed (in increasing order of precedence):
- static defaults
- default config file (/var/kct/kct.conf)
- config file specified on command line (-f)
- individual options specified on command line
November 11, 2003 (kx509/kca updates)
- Fixes from Ken MacInnis for 64-bit clients and
to properly set the file permissions on the output file in kxlist.
- Change KCA serial number handling code to use OpenSSL BigNum
routines. This creates a much bigger serial number space.
This change requires an OpenSSL build tree to build the kca.
It also requires that the serial number file has an even number
of characters.
- Use autoconf 2.57.
- Windows build has new option for using Microsoft SSPI (--withmsk5)
- Updates for kx509 library. Added new options to kxlist to
place certificate and key in separate files, or both in the same file.
- Fix problem with the entropy code and 3DES session keys.
- Add environment variable, KCA_HOST_LIST, to specify the kca host
name(s). If set, use the env var for list of kca hosts instead of doing
DNS SRV record lookup.
- Change default kca log messages to have formatted date, and other
log message changes.
August 7, 2002 (kx509/kca updates)
- Changes to allow configuration and build of the
client on MacOS X Darwin.
March 28, 2002 (kx509/kca updates)
- Rework configure script to make Kerberos 5 the default
authentication mechanism. Make use of Kerberos 4 optional.
- Add README and INSTALL files.
- Add install target
- Use ANSI prototypes and declarations.
- Add support for a kx509 library. Allowing it to be
invoked from within another program rather than as a main
program.
- Add support for sn_increment configuration option.
- Use the client's authentication domain as the email
address domain by default.
- Remove Version 1 protocol code.
March 11, 2002 (kpkcs11 updates)
- Simplify (hopefully) configure step for non-UMICH builds.
- Add README and INSTALL files.
- Add install target
- Change logging routines so that debug output is only written
if the log file already exists. This allows some debugging to
be done by touching the file before loading the kpkcs11 module.
- Add code to ignore requests from Netscape 6 for objects with
vendor-defined properties. (Allows kpkcs11 to be used with
Netscape 6.)
February 11, 2002
- Incorporate patches to kpkcs11 received from Simon Wilkinson
[email protected]
to make the pkcs11 token a truely "removable" device. This allows
the user to update their certificate without requiring a browser
restart to notice. This makes the handling of expired certificates
much easier to deal with.
- Remove all Kerberos dependencies for the Windows version of
kpkcs11 since the key and certificate are not stored in the
credentials cache on Windows.
- Update kpkcs11 messages to print the Kerberos error string,
rather than the error number, in the case of an error when using
Kerberos 5.
December 10, 2001
- Add KCT and mod_KCT to the distribution. There are two versions
of mod_KCT, and some patches to OpenSSL 0.9.6b.
- Minor fix in kx509 configuration script.
- Changes to the logging within the KCA to include the date
in the logfile name and code to reopen the log via a SIGHUP.
August 27, 2001
- Use of SRV records to locate the kca server rather than assuming
they are on kerberos servers
- Windows client will now make use of a broader selection
of Kerberos distributions
- Improved integration with Windows 2000
- Cleaner configuration
- Eliminate use of RSAref
- More generalized server support
CITI Technical Reports
- 01-2 pdf ps
William Doster, Marcus Watts, and Dan Hyde
"The KX.509 Protocol,"
February 2001.
- 01-5 pdf ps
Olga Kornievskaia, Peter Honeyman, Bill Doster, and Kevin Coffman,
"Kerberized Credential Translation: A Solution to Web Access Control,"
February 2001. [USENIX Security Symposium, Washington, D.C. (August 2001)]