HP HP-UX Kerberos Data Security White Paper
Kerberos White Paper
Executive Summary .............................................................................................................................. 2
Problem Statement ............................................................................................................................... 2
Historical Evolution of Kerberos ............................................................................................................. 3
Why Kerberos? ................................................................................................................................... 3
Kerberos Basics................................................................................................................................... 3
How Kerberos Works........................................................................................................................... 4
Authentication Process.......................................................................................................................... 4
Kerberos Products on HP-UX.................................................................................................................. 6
PAM Kerberos (PAM-Kerberos) .......................................................................................................... 6
Kerberos Client (KRB5-Client) Software ............................................................................................... 7
HP Kerberos Server Version 3.1......................................................................................................... 7
Introduction to LDAP ..................................................................................................................... 8
Kerberos Server on HP-UX with Native Back End.............................................................................. 8
Kerberos Server on HP-UX with LDAP Back End................................................................................ 8
Benefits of an LDAP Back End ........................................................................................................ 8
Integrating the Kerberos Principal into the LDAP Directory ................................................................. 8
Generic Security Service Application Programming Interface (GSS-API) .................................................. 9
Secure Internet Services (SIS) ........................................................................................................... 10
ftp ............................................................................................................................................ 10
rcp ........................................................................................................................................... 10
rlogin/rsh.................................................................................................................................. 10
telnet......................................................................................................................................... 10
Common Internet File System (CIFS).................................................................................................. 10
Secure Shell .................................................................................................................................. 10
Compatibility/Interoperability ............................................................................................................. 11
Summary .......................................................................................................................................... 11
References ........................................................................................................................................ 11
Glossary........................................................................................................................................... 12
Executive Summary
This white paper provides a high-level description of the Kerberos protocol. The paper includes
detailed information about important concepts and features of Kerberos authentication. The first
section provides basic information about Kerberos authentication. Following this introduction to the
protocol are several sections with details of how HP has implemented the Kerberos authentication
protocol.
HP-UX supports the following Kerberos suite of products on the on the HP-UX 11.0, 11i v1, and 11i
v2 operating systems:
Pluggable Authentication Module Kerberos (PAM-Kerberos)
Kerberos Client Software
HP Kerberos Server
Generic Security Service Application Programming Interface (GSS-API)
Secure Internet Services (SIS)
HP-UX Secure Shell (SSH)
The subsequent sections of this document discuss these in detail.
The paper concludes with a brief discussion of Kerberos protocol interoperability with other systems.
Problem Statement
The Internet is a vast place that connects millions of people from all corners of the globe to each other
everyday. In such a network, information can be lost, stolen, corrupted, or misused. Another
drawback of the internet is that it is difficult for individuals to confirm their identity to one another.
Confidentiality is very important for some types of information, such as information related to banking
and medical. It is therefore important that a user, who wants to access this kind of information online,
be able to confirm that the user is who he/she claims to be. This process is called authentication.
Kerberos plays a major role in authentication.
Traditionally, a process was set in place called Authentication by Assertion. Authentication by
assertion works as follows:
When a user runs a program that accesses a network service, the program (called the client) asserts
to the service that it is running on behalf of the user. This provides a very low level of security.
Consider the example of Berkeley rlogin. If a user rlogins to an account under his own name, but on
another machine, and if the user's .rhosts is set correctly, the rlogin program will assert the user's
identity to the rlogin daemon on the remote machine, and the daemon does not require a password
for login. This can become disastrous if an attacker is somehow able either to convince the rlogin
program that he/she is the legitimate user, or to rewrite a mutant version of rlogin asserting that
identity to the remote machine.
An alternative to this situation is to require a user to enter a password each time he/she accesses a
network service. This is a very time-consuming process, and it is insecure when users access services
on a remote machine. When a user is logged on to a remote machine and then logs in from there to
another remote machine, the password travels unencrypted through the network.
Kerberos fixes these problems because it provides single-sign-on, which lets a user log in to a system
and access multiple systems or applications without the need to enter the user name and password
multiple times. In addition, Kerberos is designed so that entities have to authenticate themselves by
demonstrating possession of secret information. In this manner, Kerberos solves traditional problems
involved with authentication.
Historical Evolution of Kerberos
The name Kerberos comes from Greek mythology; Cerberos was the three-headed dog that guarded
the entrance to Hades. Kerberos is a network authentication protocol developed by MIT
(Massachusetts Institute of Technology) as part of Project Athena, which started in 1983 when MIT
decided to integrate network computers as part of its campus curriculum. The goals of Athena were
the integration of a SSO (Single Sign-on), networked file systems, a unified graphical environment,
and a naming convention service.
Kerberos has since evolved into a strategic security standard that provides secure authentication
services to users, applications, and network devices, which eliminates the threats caused by
passwords being stored or transmitted across the network. Additionally, Kerberos provides data
integrity to ensure messages are not tampered with on the network and message privacy (encryption)
to ensure messages are not visible to eavesdroppers on the network.
The Kerberos model is partly based on Needham and Schroeder's trusted third-party authentication
protocol. Versions one through three never reached outside MIT, but version 4 was (and still is) quite
popular, especially in the academic community. It is also used in commercial products like the AFS
filesystem.
Why Kerberos?
The problem statement discussed the problems associated with traditional authentication methods and,
in particular, how passwords are vulnerable because they travel unencrypted over the network.
Password-based authentication is also inconvenient; users do not want to enter a password each time
they access a network service.
Kerberos is designed to eliminate the need for users to demonstrate possession of private or secret
information (the password). Instead, Kerberos disseminates this information. Kerberos Server lets
entities authenticate themselves, without transmitting their passwords in clear text over the network.
Commonly used to secure particularly vulnerable network communications like ftp, telnet, and other
widely used Internet protocols that normally transmit user IDs and passwords in clear text, Kerberos
provides the "plumbing" for common authentication services. Its scalability means that Kerberos is
ideal for large networks such as those used by governments, telecommunication networks, and major
financial institutions.
Kerberos Basics
Kerberos uses secret-key cryptography, which lets entities communicating over networks prove their
identity to each other while preventing eavesdropping or replay attacks. It also provides data stream
integrity (detection of modification) and secrecy (preventing unauthorized reading) using Data
Encryption Standards such as DES, 3DES, and AES.
Kerberos is based on the concept of a trusted third party that performs secure verification of users and
services. In the Kerberos protocol, this trusted third party is called the key distribution center (KDC).
Kerberos is used to verify that users and the network services they use are really who and what they
claim to be. To accomplish this, a trusted Kerberos Server issues tickets to users. These tickets, which
have a limited lifespan, are stored in a user's credential cache and can be used in place of the
standard username-and-password authentication mechanism. The ticket can then be embedded in
virtually any other network protocol, thereby letting the processes implementing that protocol to be
sure about the identity of the principals involved.
How Kerberos Works
The Kerberos credential scheme embodies the SSO concept. Secure authentication is based on
previously established initial credentials, which eliminates the need to re-key a password on multiple
occasions.
A Kerberos server consists of the following elements:
• Realm - a user-defined administrative boundary.
• Key Distribution Center (KDC) - the heart of the Kerberos realm. It provides Kerberos
authentication services by issuing encrypted tickets that require secret keys to decode.
• Principal - a unique name for a user or service stored in a KDC.
• Tickets - records that help a client authenticate to a server.
Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the KDC.
The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the KDC key, and sends
the encrypted TGT back to the client. The client uses the TGT to obtain further service tickets, which
provide the proof of the client's identity.
Users can also enable pre-authentication. When pre-authentication is enabled, a user must sign on to
the KDC by providing knowledge of secret information. Once the identity of the user requesting for a
ticket is confirmed, the KDC returns a set of initial credentials for the user, consisting of a ticketgranting-ticket (TGT) and a session key.
If a principal (user) needs to access any service located on a particular system, the
KDC issues a service ticket for the specific service. A service ticket can be associated with one or
more Kerberos-secured services on the same system. The service ticket is usually used by a client
application on behalf of the user, to authenticate the user to the Kerberos-secured network service. The
Kerberized client application automatically handles the transactions with the KDC. Service tickets and
associated session keys are generally cached in the user’s credentials cache file along with the user’s
TGT.
Authentication Process
The following steps describe how a client and a server authenticate each other using Kerberos. The
step numbers match with the numbered arrows in Figure 1 below.
Loading...