Strong Authentication at Fermilab
Appendix A. Implementation Details of Strong Authentication at Fermilab
TOC PREV NEXT INDEX

Chapter Contents

Appendix A. Implementation Details of Strong Authentication at Fermilab
  A.1 What is "Strong Authentication"?
    A.1.1 Definition
  A.2 Goals of Strong Authentication at Fermilab
  A.3 The Authentication Model Implemented at Fermilab
    A.3.1 The Realms
    A.3.2 Relationships between the Realms
  A.4 Features of Strong Authentication at Fermilab

 

Links

View or print PDF file of chapter

Back to Strong Auth Index Page
CD Home Page
Fermilab at Work
Fermilab Home


Appendix A. Implementation Details of Strong Authentication at Fermilab


In this appendix we discuss the concept of strong authentication and the features and environment as implemented at Fermilab.

A.1 What is "Strong Authentication"?

A.1.1 Definition

A succinct definition of strong authentication was given by Tardo and Alagappan1:

"Techniques that permit entities to provide evidence that they know a particular secret without revealing the secret."

In more practical terms, it is a system of verifying workstation user and network server identities on an unprotected network in which the parties must demonstrate knowledge of a "secret" rather than transmit a password. Typically the verification is done via a trusted third-party authentication service using conventional cryptography. Strong authentication avoids relying on authentication by the host operating system or basing trust on host addresses. It does not require that the network be safe from eavesdropping, or from injection of hostile packets or alteration/deletion of packets2.

A.2 Goals of Strong Authentication at Fermilab

Fermilab must demonstrate to the DOE that it is implementing a computer security system that exercises tight control over who uses the lab's computers and network (which are owned by the government). The Computing Division has been charged with implementing Strong Authentication to meet Fermilab's obligation.

A primary goal of this effort is to essentially eliminate the transmission of clear text reusable passwords over the network and their storage on local systems. It is impossible to entirely prevent the transmission of clear text passwords, but we are implementing a solution that removes the most common opportunities as well as most of the necessity for typing a password.

Other important goals for us include:

A.3 The Authentication Model Implemented at Fermilab

The strong authentication service implemented at Fermilab is the Kerberos Network Authentication Service V5. We describe many of its features in Chapter : About the Kerberos Network Authentication Service V5. In this section we describe the model more generally.

A.3.1 The Realms

The model employed at Fermilab divides the computing environment into three realms:

The strengthened realm

The strengthened realm consists of all systems (whether on- or off-site) that require strong authentication for access from the network. On a strengthened system, all traditional means of access that use weak authentication, such as telnet, rlogin, FTP, and so on, are replaced with strengthened versions of these programs. Means of access over the network that do not involve passwords are allowed. Weak authentication (standard security) is allowed for local access only, i.e., via the console or locally attached display.

The production realm at Fermilab for UNIX machines is called FNAL.GOV3, and for Windows 2000, there is FERMI.WIN.FNAL.GOV.

The trusted realm

Other sites which implement strong authentication, and which meet certain criteria, may be recognized by the strengthened realm at Fermilab as a "trusted" realm. Trusted realms provide levels of security and authentication equivalent to our own. Trust relations (cross-authentication) between the trusted realm and the strengthened realm allow access without further authentication (i.e., the authentication takes place only when user accesses either realm individually).

The untrusted realm

The untrusted realm consists of those systems that do not require strong authentication and that permit traditional means of access. These systems typically expose clear-text passwords on the network.

A.3.2 Relationships between the Realms

The figures below illustrate the relationships between these realms. (The Key Distribution Center, or KDC, shown on these figures is described in Chapter : About the Kerberos Network Authentication Service V5.)

Direct connections between machines in the strengthened realm are allowed (the Key Distribution Center is involved in providing credentials to the client's machine which can be passed along to access the other strengthened machine).

Direct connections from the strengthened to the untrusted realm are allowed.

One-time passwords are used for direct connections from the untrusted to the strengthened realm at Fermilab. Strengthened machines are configured to respond in portal mode when requests for access come from machines in the untrusted realm. In portal mode, the strengthened machine acts as a secure gateway into the strengthened realm, requiring a single-use password for authentication. This avoids transmission of reusable clear-text passwords over a potentially unprotected network.

Different programs exist for generating non-reusable passwords, and at Fermilab we currently support CRYPTOCard (described in Appendix : Using your CRYPTOCard). No special hardware or software is required on the untrusted system.

For connections between untrusted machines, strong authentication is not involved. The standard network programs are used in the normal way.

A.4 Features of Strong Authentication at Fermilab

The strong authentication model implemented at Fermilab:

1J.J. Tardo and K. Alagappan, "SPX: Global Authentication Using Public Key Certificates." In Proc IEEE Symp. Research in Security and Privacy. IEEE CS Press, 1991.
2The Kerberos authentication process can fail if too many packets are altered or deleted (e.g., all of them in one or both directions, until the client gives up).
3As long as the PILOT.FNAL.GOV realm is operating in parallel, the information in this manual applies equally to both realms.
4Certain systems, such as embedded systems or specialized on-line systems may not be capable of participating directly in strong authentication. These systems may be accommodated by alternate access.

TOC PREV NEXT INDEX
View/print PDF file | Back to Strong Auth Index Page | Computing Division | Fermilab at Work | Fermilab Home
This page generated on: 09/01/06 16:26:08