Network Security Defined - Authentication Exchange

 

Authentication is the most basic security service in a distributed computing environment.

 

Authentication Exchange Methods

Authentication techniques require that you prove your identity or a program proves its authentication. This can be done by using any one or more of the following:

  • A password or character sequence known only to you or the program
  • A key card or other physical authorization unique to you
  • Your fingerprints, signature, or other item that identifies only you

Authentication techniques range from quite simple to very complex. The traditional use of passwords is a middle-of-the road example of an authentication method. Other authentication techniques include:

  • UNIX r commands, such as rlogin and rsh
  • Kerberos, an authentication protocol developed at the Massachusetts Institute of Technology (M.I.T.).

 

Berkeley “r” Command Authentication

The Berkeley “r” commands are UNIX client and server facilities that perform useful services in a UNIX network. The commands rely on simple authentication techniques, such as secure login, host.equiv files, and .rhost files. Security using r commands is intended for a relatively open and trusting network environment. These r commands include:

  • rlogin — Allows remote login from one system to another
  • rsh — Allows commands to be executed on remote UNIX systems
  • rcp — Copies files from one system to another
  • rexec — Allows remote users to execute local system commands based on username, password, and service access list authorization

To use these commands, a user must have an account on the destination host (the server). To authenticate a user, the host can:

  • Search its client password file for an entry of the supplied user name.
  • Search for a match to the user or host name.
  • Search the .rhosts file in the user's home directory for the user or host name.
  • Prompt the remote user for a password and perform normal authentication (only rlogin).

 

Kerberos

The Kerberos protocol provides network security by regulating user access to networking services.

In a Kerberos environment, at least one system runs the Kerberos Server. This system must be kept secure. The Kerberos Server, referred to as a trusted server, provides authentication services to prove that the requesting user is genuine. Another name for the Kerberos Server is the Key Distribution Center (KDC).

Other servers on the network, and all clients, are assumed by the system administrator to be untrustworthy. For the Kerberos protocol to work, all systems relying on the protocol must trust only the Kerberos server itself.

In addition to providing authentication, Kerberos can supply other security services such as:

  • Data integrity
  • Data confidentiality

    Kerberos uses private key encryption based on the Data Encryption Standard (DES). Each client and server has a private DES key. The Kerberos protocol refers to these clients and servers as principals. The client's password maps to the client's private key.

    The Kerberos Server maintains a secure database list of the names and private keys of all clients and servers that are allowed to use the Kerberos Server's services. Kerberos assumes that all users (clients and servers) keep their passwords secure.

    The Kerberos protocol solves the problem of how a server can be sure of a client’s identity. Kerberos does this by having both the client and server trust a third party, in this case, the Kerberos Server. The Kerberos Server verifies the client's identity.

     

    Some Kerberos Terms

    Some of the terms commonly associated with Kerberos include:

  • Principal
  • Ticket-granting ticket
  • Service ticket
  • Authenticator

     

    Principal

    Kerberos refers to clients and servers as principals and assigns each one a name. An example of the general naming format is name.instance@realm

    • name — For clients, this is the user’s login name; for servers, it is the name of the service provided, usually rcmd
    • instance — This is usually omitted and unnecessary for clients; for Kerberos administrators, the value is admin; for servers, it identifies the machine name of the application server that has Kerberos authentication support. For example, if the rlogin server on merlin has Kerberos authentication support, the principal would have the following format:

      rcmd.merlin@your_realm

    • realm — is associated with all principals in a Kerberos database and is the name of a group of machines, such as those on a LAN; it identifies the Kerberos domain.

    You can omit the instance and realm components from some principals. For example, a possible principal for jones (for user Jones in the local domain) could be jones@daisy.com for user Jones in the daisy.com domain. A possible principal could also be rcmd.merlin (for the rlogin server in the local domain) or rcmd.merlin@daisy.com (for the rlogin server on merlin in the domain daisy.com).

     

    Ticket-Granting Ticket

    A ticket-granting ticket contains an encrypted form of the user’s Kerberos password. Use it to obtain application service tickets from the Kerberos server. You cannot use Kerberos authentication without first having this ticket-granting ticket.

    The ticket-granting ticket has an associated lifetime that the Kerberos server specifies. This lifetime is generally eight hours. You can use the same ticket over and over again, until you no longer need the ticket or it expires.

     

    Service Ticket

    Kerberos uses service tickets to verify a client’s identity to an application server. The Kerberos server encrypts the service ticket with the application server’s private key. Only that application server can decrypt the service ticket.

     

    Authenticator

    The Kerberos protocol uses authenticators to prevent eavesdroppers from stealing a ticket. The client sends a new authenticator with each service request. An authenticator consists of the client’s name and IP address, and a timestamp showing the current time.

    The server uses the information in the authenticator to confirm that the rightful owner presents the accompanying ticket. For this to be true, the client and server must synchronize their clocks. One way of doing this is through the Network Time Protocol (NTP).