Computer Security Strong Authentication Project: Synopsis
An analysis of the major computer security incidents at the laboratory over the past year shows that a common root cause of incidents is the compromise of passwords by transmission in clear text over the network. Passwords in clear text are susceptible to "sniffing" by any compromised system in the network path and can be re-used to gain unauthorized access to the destination system. This is a well known and common method for hackers to gain unauthorized access.
Further, with user access to a compromised system, hackers can fairly easily gain access to crack the local password file, leading to further compromise. This aggravates the response, since it can lead to requiring all the users of the compromised system to change their passwords.
The primary goal of this project is to implement a strong authentication system that eliminates (so far as practical) the transmission of clear text re-usable passwords over the network and their storage on local systems. The inter-laboratory SLCCC Unclassified Computer Security Technical Working Group recommended that DOE laboratories adopt such a system in their white paper, Alternatives to Reusable Passwords: Robust Authentication. Strong authentication is likely to be required by new DOE unclassified computer security requirements.
Secondary, but important, goals include:
The model divides the environment into four realms. The strengthened realm consists of all systems (whether on- or off-site) that require strong authentication for access from the network. These systems must replace all traditional means of access that use weak authentication, such as telnet, rlogin, ftp, etc, with strengthened versions. Local access (i.e. via the console or locally attached display) with weak authentication is allowed, as are means of access over the network that do not otherwise expose passwords.
The untrusted realm consists of those systems that do not require strong authentication and permit weak authentication and traditional means of access. These systems may expose cleartext passwords on the network. Direct connections from the strengthened to untrusted realm are allowed; connections from the untrusted to strengthened realm are not.
The portal provides a secure gateway between the untrusted and strengthened realms. Users authenticate between systems in the untrusted realm and the portal realm through non-reusable passwords (e.g. S/Key one-time password lists or password-generating hardware tokens such as SecureID or CryptoCard). Other than physical possession of the one-time passwords by the user, no special hardware or software is required on the untrusted system.
Sites which implement strong authentication, and which meet certain criteria, may be included as a trusted realm. Trusted realms provide levels of security and authentication equivalent to our own. They use their local strong authentication method, and trust relations (cross-authentication) between the trusted realm and the strengthened realm allow access without further authentication. Trusted realms are optional but desired.
Kerberos Authentication Features
The strong authentication protocol for this project is Kerberos v5. Kerberos was developed at MIT in 1987 specifically for use over insecure networks and has matured into a stable product with widespread operating system and application support. Kerberos continues to see active development, with new releases occurring about each year. Kerberos v4 is already in use at Fermilab as part of AFS and both Kerberos v4 and v5 are widely used at other laboratories and universities.
Kerberos provides mutual authentication for users as well as services running on systems, collectively known as principals. Each principal has a symmetric key used to encrypt and decrypt short messages exchange with a key distribution center (kdc). For a user, this key is a hash of the user’s password; for a service, it is a random bit string. Knowledge of a key (equivalent to the ability to correctly decrypt messages from the kdc) authenticates the identity of a principal. The kdc holds a copy of the key for all the principals in the strengthened realm.
Tickets are obtained from the kdc to authenticate a user to a service on a system, such as telnet or ftp. A ticket contains information encrypted with the key of the service principal. The user's client presents the ticket to the service, and the ability of both to correctly decrypt the relevant parts of the ticket establishes knowledge of the correct keys and therefore authentication. A particular ticket is the ticket-granting ticket, which authenticates a user to the ticket-granting service of the kdc, and allows a user to obtain tickets for other services.
Tickets can be forwardable, renewable, and/or post-dated. Forwardable tickets can be used with the kdc to authenticate to additional services beyond the original service they were obtained for. Renewable tickets can have their lifetime extended, by action of the user, beyond the default lifetime, up to an established limit. Post-dated tickets become valid after a time in the future.
Authenticated network access to systems within the strengthened realm must only be possible through Kerberos; non-Kerberos methods of access must be replaced. The portal provides the application gateway between the Kerberos strengthened realm and the non-Kerberos untrusted realm. In order to prevent disclosure of passwords on the untrusted network, non-disclosing one-time passwords must be used to authenticate to the portal. The portal will then obtain the initial set of Kerberos tickets on the user’s behalf, allowing the user to work on the strengthened system without entering the Kerberos password on an unencrypted connection.
To work interactively on strengthened systems from the untrusted realm, a user telnets to the portal and provides non-reusable authentication. The portal obtains Kerberos tickets on the user’s behalf and the Kerberos version of telnet on the portal system allows access to strengthened systems. The user may run X applications on the strengthened system or open multiple telnet sessions via the portal, but each portal telnet session requires a separate authentication (use of a one-time password). Ftp file "pushes" from the strengthened to the untrusted realm are allowed directly and do not involve the portal. File "pulls" use a modified ftp server that incorporates a Kerberos ftp client, allowing for "pass-through" file transfers.
Users will find it most convenient if their own systems are in the strengthened realm, and installation of Kerberos on individuals’ desktops will be encouraged and made as easy as possible. Placing a system in the strengthened realm will be a straightforward procedure. UPS install will load the required software onto the system, disabling the non-Kerberos clients and servers and replacing them with their Kerberos equivalents.
Pilot Project: CDF Run II Analysis Prototype
The CDF Run II Analysis Prototype has been chosen for a small pilot project with "real" end users and applications. The system consists of two server, a Sun and SGI, and an initially small number (~6) of Linux desktops. Software distributions for these operating systems have been built and made available via UPS. Interim user and developer documentation is being developed and the necessary Kerberos software libraries are being built for the pilot. Specific software applications will be modified to use Kerberos authentication.