Kerberos + Android A Tale of Opportunity

© Copyright 2012 yaSSL Slide 1 / 39

Platform Decisions

The Statistics

© Copyright 2012 yaSSL Slide 2 / 39

Why Go Mobile?

80% of the world's population now has a mobile phone.

© Copyright 2012 yaSSL Slide 3 / 39

( 5 Billion Phones )

Why Go Mobile?

Of those 80%,

are smartphones.

© Copyright 2012 yaSSL

1.08 Billion

21.6%

Slide 4 / 39

Why Go Mobile?

In the US: the ratio is even higher, with smartphones making up 40% of all mobile phones.

60% 40%

© Copyright 2012 yaSSL Slide 5 / 39

OK, well why Android?

© Copyright 2012 yaSSL Slide 6 / 39

Android?

U.S. Smartphones (40%)

© Copyright 2012 yaSSL

Android 40%

iPhone 28%

Blackberry 19%

Windows Mobile, 7%

Other, 5% Windows Phone 7, 1%

==

Slide 7 / 39

Reason 1: US Market Dominance

Android? Reason 2: Consumer Popularity

© Copyright 2012 yaSSL

•  100 million activated Android devices (now 400,000 / day) •  200,000 apps in Android Market (4.5 billion activations to date)

•  310 devices available to consumers (112 countries)

Slide 8 / 39

Android? Reason 3: Developer Popularity

© Copyright 2012 yaSSL

•  450,000 developers building for the platform!

Slide 9 / 39

Android. Meaning?

© Copyright 2012 yaSSL

•  Opportunity for increased Kerberos visibility •  Useful for Android and Kerberos developers

•  Fun to see where the community takes it

Slide 10 / 39

Our Plan

What we wanted to do.

© Copyright 2012 yaSSL Slide 11 / 39

Goals We wanted to fill a missing gap.

© Copyright 2012 yaSSL

1.  Port Kerberos libraries to Android 2.  Port some C-based Kerberos client apps to Android

kinit

klist

kvno

kdestroy

Slide 12 / 39

Goals We wanted to spark community involvement.

© Copyright 2012 yaSSL

3.  Build a sample Android NDK App (with a simple GUI) 4.  Give changes back to community

Slide 13 / 39

Action!

What we did.

© Copyright 2012 yaSSL Slide 14 / 39

1. Crypto Implementation

© Copyright 2012 yaSSL Slide 15 / 39

Crypto Added new CyaSSL crypto implementation

© Copyright 2012 yaSSL Slide 16 / 39

•  Kerberos crypto options: CyaSSL, OpenSSL, NSS, built-in

Crypto Added new CyaSSL crypto implementation

© Copyright 2012 yaSSL Slide 17 / 39

•  CyaSSL is very portable

2. Porting

© Copyright 2012 yaSSL Slide 18 / 39

Android Port Kerberos Libraries + CyaSSL Android.

© Copyright 2012 yaSSL Slide 19 / 39

•  Cross-compiled libraries for Android •  Created shell script for easy reproduction by developers

3. Android Application

© Copyright 2012 yaSSL Slide 20 / 39

Android App Simple sample NDK project

© Copyright 2012 yaSSL Slide 21 / 39

Home Screen •  Single screen •  Uses JNI •  Wrapper around native

client apps

Android App Simple sample NDK project

© Copyright 2012 yaSSL Slide 22 / 39

kinit •  Gets a ticket using

specified principal

Android App Simple sample NDK project

© Copyright 2012 yaSSL Slide 23 / 39

klist •  Lists our tickets

Android App Simple sample NDK project

© Copyright 2012 yaSSL Slide 24 / 39

kvno •  Gets a service ticket for

the entered principal

Android App Simple sample NDK project

© Copyright 2012 yaSSL Slide 25 / 39

klist after kvno •  Verify that we got a

ticket

Android App Simple sample NDK project

© Copyright 2012 yaSSL Slide 26 / 39

kdestroy •  Clear our ticket cache

Notes •  Uses a keytab instead of passwords

•  Storage locations have been chosen for convenience

Android App

© Copyright 2012 yaSSL Slide 27 / 39

Can be easily modified to what the developer needs Currently at /data/local/kerberos

License Type •  Application code will remain under the MIT license

Android App

© Copyright 2012 yaSSL Slide 28 / 39

4. GSS-API Wrapper

© Copyright 2012 yaSSL Slide 29 / 39

GSS-API Java Wrapper

© Copyright 2012 yaSSL Slide 30 / 39

•  Provide Java bindings for developers to use •  Uses framework

•  Wrapper around native Kerberos GSS-API library

(Contains functionality found in gssapi.h)

GSS-API Java Wrapper

© Copyright 2012 yaSSL Slide 31 / 39

2 example clients: •  Android client functionality

•  Stand-alone Java app for desktop use

GSS-API Integrated into sample app.

© Copyright 2012 yaSSL Slide 32 / 39

Example Client •  Est. context with example server

•  Send wrapped message, verify

returned sig. block (gss_wrap, gss_verify_mic)

•  Repeat #2, but with gss_seal,

gss_verify •  Misc. API tests and exit.

GSS-API Integrated into sample app.

© Copyright 2012 yaSSL Slide 33 / 39

Example Server •  Est. context with client

•  Receive and unwrap a message from the client

•  Generate & send signature block for received message

The Future

What's happening next?

© Copyright 2012 yaSSL Slide 34 / 39

The Future Look to the Community.

© Copyright 2012 yaSSL Slide 35 / 39

Availability •  Code will be linked from both MIT and yaSSL websites

The Future Look to the Community.

© Copyright 2012 yaSSL Slide 36 / 39

PR Activity / Visibility •  Blog posts •  Forum posts •  Press releases •  GitHub •  Mailing lists •  etc...

The Future

© Copyright 2012 yaSSL Slide 37 / 39

Other ideas or thoughts?

References

© Copyright 2012 yaSSL Slide 38 / 39

Statistics •  http://ansonalex.com/infographics/smartphone-usage-statistics-2012-infographic/ •  http://www.go-gulf.com/blog/smartphone •  http://blog.nielsen.com/nielsenwire/online_mobile/40-percent-of-u-s-mobile-users-own-smartphones-40-

percent-are-android/ •  Google I/O 2011: http://www.google.com/events/io/2011

Project Locations Kerberos: http://web.mit.edu/kerberos/ CyaSSL: http://www.yassl.com/

•  Android NDK App: https://github.com/cconlon/kerberos-android-ndk •  GSS-API Java Wrapper: https://github.com/cconlon/kerberos-java-gssapi

Thanks!

© Copyright 2012 yaSSL Slide 39 / 39

www.yassl.com