Fermi National Laboratory

Volume 24  |  Friday, October 19, 2001  |  Number 17
In This Issue  |  FermiNews Main Page

A Case of Identity: Kerberos

by Mike Perricone

Question for our time: Who are you, and can you prove it?

Irwin Gaines conducts a workshop on Kerberos Issue for our time: Achieving a balance between freedom and security.

Increasingly, the computing solution for these questions in these times is Kerberos, a system of "strong authentication" for computer users invented at the Massachusetts Institute of Technology, and already operating at many universities and several Department of Energy national laboratories. The list includes Fermilab, which adopted Kerberos for the CDF and DZero experiment collaboration computers during the past year, with a goal of extending the protection to the entire site by the end of 2001.

But the team responsible for adapting and implementing Kerberos at Fermilab is emphatic about the balance point between freedom and security.

"If we do something a little differently and there's a real security benefit, that's OK," said Matt Crawford, who is managing the installation. "But if it means people can't work together, then that's not OK. The primary goal is to allow the work of science."

Irwin Gaines agreed.

"Fermilab must maintain an open collaborative environment, otherwise there is no science," said Gaines, who has led tutorial workshops introducing lab employees to the ins and outs of the coming system. "Kerberos is a way to make sure we know who uses Fermilab computers. It's a procedure that makes sense for our environment."

Kerberos strives for the best balance between security and freedom by addressing the question of identity, and attempting to prevent identity theft. Kerberos establishes proof of identity ("user authentication") through cryptographic calculations at local computers, with a central server validating the proof. Kerberos aims to keep passwords from being transferred over networks, where they are vulnerable to "sniffers:" programs that watch for passwords going by, and harvest them for identity theft. Unfortunately, sniffers are everywhere.

"The nature of the Internet has changed," Gaines said. "The number of people breaking into computers-not just Fermilab computers, but computers all over the world-has grown exponentially. A person who has stolen an identity can then log into a computer and assume that identity. Because Fermilab computers are used by people all over the world, users have to log in from a remote site. If they're typing a password over the network, that password can be grabbed off the network at any point."

Since an individual identity is precious, Gaines has cautioned his workshop audiences to "treat your Kerberos password as a sacred object. Don't write it down on a sticky and attach it to your computer screen. Don't write it down, anywhere." In addition, a Kerberos password must be different from any other password that an employee uses.

Kerberos acts as a gatekeeper for access to certain high-priority services, while leaving lower priority services alone. There will be two access routes, via software or cryptocard. The first route involves installing software on a desktop computer so a user can prove a Kerberos identity locally. The desktop will exchange information with the Key Distribution Center, which issues a key or ticket good for a computer anywhere in the lab. The alternate route involves a cryptocard, which produces a one-time password. A user without a Kerberos identity will be given a cryptocard challenge which, if passed, issues a one-time, one-use password.

"So even if it's seen," Gaines said, "it does no good because it's instantly obsolete."

Crawford, who Gaines said originated much of the plan, also created the innovation of having the cryptocard challenge available site wide. The cryptocard allows access from any computer on site, any home computer, any traveling computer-as long as the user brings the cryptocard along.

The Kerberos team, which has been operating for more than a year and a half, includes Randy Reitz and Frank Nagy of the Computing Department. Tom Nash and Computing Division Head Matthias Kasemann act jointly as Computer Security Executive, reporting directly to Fermilab Director Michael Witherell. Dane Skow is head of the Fermilab Computer Security team, and deputy to Nash and Kasemann. Crawford is Fermilab Computer Security Coordinator and project manager. Gaines is deputy FCSC for the general security domain and for training and education, while Donna Dyxon is deputy FCSC for government and DOE liaison.

The lab also has what Gaines described as a "volunteer fire department," the Fermilab Computer Incident Response Team. Volunteers from many areas of the lab take turns being on call to "put out fires," providing the first line of defense against unauthorized access. Don Petravic is about to replace Skow as head of FCIRT.

Crawford admitted that Kerberos won't plug every hole, but pointed to its widespread acceptance through its adoption by vendors including Microsoft, Sun, Cisco, IBM and many others. In addition, the goal for the security system is to maintain openness and minimize disruptions in communicating scientific information.

"It's like putting all our eggs in one carefully-designed well-secured basket," Crawford said. "Any system bugs or intruders can break one egg, but we're pretty sure they can't get the whole basket."

On the Web:
Kerberos at Fermilab http://www.fnal.gov/docs/strongauth

last modified 10/22/2001 by C. Hebert   email Fermilab