Transmission of plain-text authentication information such as passwords is clearly the weakest link in user authentication systems. It is susceptible to "eavesdropping" where the password itself is compromised, or "replay attacks" that simply retransmit previously sniffed encoded passwords to gain access to critical network services. The Kerberos protocol was specifically designed to eliminate the need to demonstrate possession of private or secret information (the password) by divulging the information itself. Additionally, AuthAgent Kerberos includes data integrity checks to ensure that messages on the network are not tampered with, and message privacy.
Tickets and Key Distribution
The basic unit that a Kerberos system uses to avoid sending passwords in the clear is called a "ticket". A Kerberos ticket is a record that allows a client to authenticate itself to a service. It contains the client's identity, a session key, a timestamp, and other information, all sealed using the service's secret key. Kerberos tickets are given out by an enterprise network service called the Key Distribution Center (KDC), which supplies tickets and temporary session keys, and hosts a database of users and services. AuthAgent Kerberos provides the functionality for embedded network clients present and store KDC granted tickets to any Kerberos-enabled network services. It also includes the functionality to present the initial Ticket Granting Ticket Granting Service (TGS) for service-specific tickets.
AuthAgent Kerberos can perform the initial authentication using X.509 formatted digital certificates as described in RFC 4556 (Public Key Cryptography for Initial Authentication in Kerberos – PKINIT). AuthAgent Kerberos’ PKINIT implementation is interoperable Heimdal and Windows Active Directory implementations when used in combination with TeamF1’s AuthAgent X.509 product. AuthAgent X.509 accepts certificates as files or as smartcard. Smartcard support is implemented using PKCS11.
When the principals being authenticated are users, AuthAgent Kerberos enables a single sign-on solution. Clients have to authenticate themselves only once to the KDC to obtain an initial TGT ticket. Further service specific tickets are automatically granted via a ticket-granting sevice (TGS) during validity of the TGT. AuthAgent Kerberos allows for caching the individual tickets allowing them to be re-used until their validity expires, eliminating the need to repeatedly request tickets for the same service.
Kerberos-enabled Clients & Services
AuthAgent Kerberos easily "kerberizes" embedded clients, allowing standard network client applications in any multi-platform environment to authenticate to Kerberos-enabled services. Similarly, network services that need to be Kerberos-enabled, and accept ticket-based authenticated sessions, can be secured with AuthAgent Kerberos. Kerberos-enabling of embedded clients and services is achieved using very few simple API calls during session initiation or initialization respectively.
AuthAgent Kerberos includes support for the latest standards-based ciphers for data encryption and message integrity verification, such as:
AuthAgent Kerberos may be used in application-level protocols, such as telnet or FTP, to provide "user to embedded device" security or as the implicit authentication system of data streams or RPC mechanisms. It can also be used at a lower level for "embedded device to host security" or between embedded devices, in any standard or proprietary network protocols including IP, UDP, and TCP. It also finds application in larger credential based frameworks such as GSS-API. AuthAgent Kerberos is designed to be used as a standalone authentication mechanism in applications where only access control is important, or as a seamless add-on to network security solutions such as TeamF1’s SSHield SecureShell and V-IPSecure IPsec/IKE, where its authentication can be used along with network security protocols that protect data in transit.
All AuthAgent solutions are available in full-source format and are highly customizable. AuthAgent Kerberos has configurable options for user-specific credential caching as well as user-specific ticket restrictions. Complete scalability of unwanted components makes AuthAgent solutions the solution of choice for embedded security applications.