Authentication in Network Systems using the Kerberos Framework Punit Agrawal Masters in Computer Science Washington State University Pullman, WA Abstract
Authentication is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true. Humans have this ability, by birth. Our senses allow us to percieve patterns in our surroundings and distinguish or authenticate people, that we know. Computers lack these senses and hence have to device other ways for authentication. The most common approach has been the use of passwords or a shared-secret. There are several problems associated with the use of passwords. We, as humans, are not very good at remembering long, complex, alphanumeric string of characters and end up using simple dictionary-based words or some personal information as passwords, which makes me easy for an attacker to guess/crack the password. Another reason is that the password needs to be sent over the network. If the password is sent as plaintext, then anyone eavesdropping the network can get hold of the password. Some systems encrypt the password before sending it, but the encryption is not really secure. Kerberos is a authentication framework developed at the Massachusetts Institute of Technology (MIT) as part of Project Athena in the 1980s and can provide a possible solution to these two issues. Firstly, it reduces the number of passwords to be used from n passowrds for n-network services to one. Secondly, it never sends the password over the network and uses secure encrption and message integrity combined with timestamp information to send other sensitive data, so as to minimize the threat of eavesdropping and Manin-the-middle attacks. This paper specifically discusses the V4 Kerberos framework in a distributed network environment and gives an indepth explanation of how it provides a secure computing environment.
Introduction This paper gives an overview of the Kerberos authentication framework developed at MIT by Miller and Nueman [3]. Section 1 starts with describing the need of a robust authentication service specifically in an open networking environment[5]. Section 2 describes the version 4 of the Kerberos framework, discussing the entities involved and how mutual authentication is provided. Section 3 deals with the problems with version 4 and how these are resolved in version 5 of the framework are discussed in the next section. Finally, Section 5 details some of the systems which have been kerberized.
1
The need for Kerberos
In the last decade, with the advent and rise of distributed systems, The use of networked system resources has become trite in most organizations. The motivation has been to reduce the expenditure on hardware resources as well as promote a thin-client environment by the use of shared processing power. However, the more the systems become distributed, the more complex the security related issues become. Specifically, access to the shared and networked resources need to be restricted to only authorized and eligible users. In a personal computing environment, this can be done easily by introducing authentication mechanisms in the operating layer. The administrator can be sure of the fact that the computer resources will be used by only a single user. Hence in this case, one-time authentication at the time of login is good enough. However, in a distributed network, requests for services such as a networked printer service may come from any computer connected to the network. Before the resource can be granted, proper authentication needs to be done whether the application which requested the service, is in fact the actual requester