The Kerberos protocol is provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication.
However, simply "adding a dash of Kerberos" does not make a magically secure a network. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators - the kind of dance that never quite stays in step.
A careful review of RFCs, deployment guidance, and developer reference materials reveals a host of "theoretical" flaws when Kerberos is used. This presentation will demonstrate new techniques that make the theoretical practical in common Kerberos deployments, and provide guidance to ensure that software and systems are hardened against attack.