Kerberos Network Design Manual Network Authentication: Who's Who? Kerberos is primarily a centralized network authentication system. Designed to verify users' identities on workstations throughout the network without compromising passwords by transmitting them across the network in clear text. In this light, Kerberos solved three common network management problems: it allows administrators to maintain a single, centralized password store, it prevents passwords from being intercepted on the network and frees users from repeatedly authenticating themselves to servers throughout the network. Relying on strong cryptography to generate forgery-proof digital authentication tickets, Kerberos lets users access network resources by simply presenting these secure tickets rather than repeatedly entering a user name and password (most networks still require users to log onto each server manually). This prevents passwords from traversing th e network where they can be intercepted, unlike password-caching applications, such as the ones included in Windows95 networking, that simply keep passwords in memory and transmit them upon request. This secure authentication enables distributed servers to delegate the task of authenticating users to a single server (or small group of servers) on the network. While forming a single point of administration, it also has an advantage in overall network: as long as the central authentication servers are secure, all participating network nodes who trust the security servers are secure. As the hallmark of a secure network authentication system, Kerberos never transmits secure information, or passwords, across the network in an insecure fashion. When initially signing on, Kerberos solves this problem by playing a simple trick: Instead of verifying the password on the server, Kerberos relies on the workstation to verify the password. (The Kerberos protocol is described in depth, later in this document). When fully implemented, Kerberos provides the backbone of a true single sign-on system. Still a utopian goal for most network administrators, a true single sign-on environment requires a user to sign onto the network once per session, usually at a workstation's login screen. The user's identity is then verified and credentials are automatically transmitted to any services the user wishes to access. The result, the user appears to log into "the network," and services throughout the network appear to work together in harmony. Although ease of use is impetus for single sign-on technologies, an implementation like Kerberos would require extra measures to protect authentication transactions. Your data: Under the Looking Glass The benefits of network computing are obvious: There's nearly instantaneous access to services throughout an organization, user collaboration and resource sharing. Networks are a repository for private information like personnel records, or even a company's top secret, proprietary information. When access to sensitive information is too easy, it's time to take a close look at restricting access. While all network operating systems include certain levels of security, most network technologies like Ethernet, Token-Ring or ATM operate using a shared medium. All messages are broadcast throughout the local network and are received by the appropriate party. While network protocol analyzers continue to be a threat to information carried by standard network operating systems like Novell's NetWare or Microsoft's NT or LAN Manager, most corporate networks are restricted to a single building or campus, and wide-area networks are primarily based on private, leased lines. In the past, network managers have taken solace in the fact that any protocol "sniffing" on the network is probably an inside job. On the other hand, the emergence of the Internet allows corporate uses to access information from systems throughout the world. As it is by definition an environment built upon open protocols. Internet, Intranet (and independent IP) networks are particularly vulnerable to eavesdropping. Published data transfer and remote login protocols primarily transfer data in clear text In addition, these protocols are equally vulnerable to a different threat: spoofing. In this case, false packets of information are sent, or are placed within existing data streams. Such techniques can allow unauthorized users to actually take control over TCP connections from other users, thus gaining unauthorized access to systems on the network. TCP/IP is a trusting protocol. It includes no provisions for secure communications, or even packet authentication (such as verifying packets using a cryptographic signature). While many IP-based services can control access based on source IP address, numerous packet-spoofing incidents on the Internet attest to the weakness in this security model. Any secured communications using IP must occur in the application layer (above TCP or UDP). In other w ords, security is left up to the application. This allows large IP networks such as the Internet to route packets regardless of what security measures are present. True to the IP security model, MIT's Kerberos provides an application-level network security model. Applications written to take advantage of Kerberos (Kerberized Applications) include the API calls to accept a user's authentication and optionally establish encrypted communications. Print This Page E-mail this URL