This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
In the field of Networking, Authentication is the primary step for a Secured Communication. An Authentication might use a set of protocols based on the importance of security. Authentication is to verify an identity and the identity can be a user, system or an application.
A multi-factor authentication uses combination of authentication methods and hardware security component like e.g. tokens, Biometric information etc. Cryptographic authentication is a secured and a complex approach which employees Digital signatures, MAC, public key authentication etc.
Necessity of Authentication
"Authentication Service is concerned with assuring that a communication is authentic. "... It is to assure that the information sent to the recipient from the source is from the genuine source, where it is intended to be from.
Authentication is used to allocate privileges within the in the application and restrict the access at different levels and also to avoid attacks like spoofing etc.
Categorizing Authentication based on Services
1. Internal Service based Authentication.
2. External Service based Authentication.\
Local service based Authentication can implement their own authentication either by using the services available within the operating system or by using the existing Authentication Libraries but implementing one's own Authentication procedure is not recommended as it has a potential risks that it can be easily broken. If a proprietary scheme is to be developed then it is necessary to use the standards, security technologies like encryption protocols etc. e.g. RC4 HMAC was developed by Microsoft using Kerberos for authentication in windows 2000.
Authentication services at enterprise and global levels are a part large directory structures and services. The concept of directories was introduced in the field of computing by telecommunications. All its requirements were analysed and set as a Suite of protocols called as X.500 Specifications in 1980 then LDAP was introduced to replace the DAP to access the services of X.500.
These are some of the widely used External Authentication services.
GSSAPI (Generic Security Services API), is an interface where the security vendors provide implementations to it in form of Libraries and GSSAPI (RFC 2078) bindings provide authentication and security services to above mentioned services. The diagram below gives an overview of how LDAP and its authentication services are used from GSS interface and existing Libraries. GSSAPI architecture is shown below.
Figure 1: GSS-API Authentication Architecture.
These are few standards of GSSAPI RFC 1964, RFC 1509, and RFC 2743.
RFC 1964 is a Kerberos v5 GSS-API mechanism which defines the conventions procedures and protocols to be employed while implementing GSSAPI Kerberos version 5 Technology.
RFC 1509 defines the c language bindings to GSSAPI where it allows the caller application to authenticate a principal identity of peer application to allocate right to peer and to apply security services such as integrity and confidentiality.
RFC 2743 provides the security services to the caller in a generic fashion and also allows source-level portability of an application to different environment.
LDAP (Light Weight Directory access protocol):
LDAP (RFC 1777) is a powerful TCP/IP based protocol used to manipulate the directory content, searching, fetching and it also provides a way to access with rich set of security functions. The protocol suite is protected by SASL mechanism and TLS protocol for Client Server Authentication. LDAP protocol is also protected by an authenticated identity in client authorization. Resource Limitation is implemented by means of administrative limits on service controls.
LDAPv2 uses SSL tunnelling for secure communication, this was used as an alternate of TLS latter LDAPv3 (RFC 2251) was introduces with more enhancements in authentication procedures. Let's see the difference between authentication in v2 and v3 and there procedures. LDAP v2 has 3 types of authentication they are anonymous, simple, Kerberos v4 even LDAP v3 supports anonymous and simple along with these it also supports SASL authentication (RFC 2222) where client can employ any of these SASL mechanisms i.e. Kerberos v5, Digest-MD5, Cram-MD5 etc. Even new mechanisms of SASL can be used without changing LDAP. The Diagrammatic representation of protocols is shown below.
LDAP v3 offers authentication through Bind operation. The function of Bind operation in LDAP v3 is to allow authentication information to be exchanged between the client and server. A client request without Bind operation is treated as an anonymous client. Simple authentication is done by username and password but here is a problem of viewing the password in network which is a plain text so, this can be avoided by encrypting using protocols like SSL. SASL specifies a challenge response protocol used for exchange of information between client and server and it establishes a secured layer for communication.
Active directory concept was introduced by Microsoft to provide network services like LDAP, Kerberos, and DNS based naming etc. It mainly uses two types of authentications they are Mutual Authentication and NTLM Authentication.
In mutual authentication the client process proves its identity to server similarly server also proves its identity. Identity is proved through trusted third party and uses shared secrets keys through cryptographic means.
NTLM Authentication is of three types.
Basic LM i.e. LAN Manager is a basic secure form of challenge /response authentication used for file sharing in share level security mode for workgroup using Microsoft Windows 95, 98. Version 1 is secure than LM and it is used in clients using Windows 2000 .Version 2 is more secure than these two with an extra feature of running in active directory domain.
Novell Directory services:
NDS is a collection of objects representing the network nodes, services, users and applications. To gain access to database NDS client must authenticate to NDS server. DHCP(RFC 2241) options are used to carry the NDS information between the clients and the server.
Netware is a Network operating system developed in 1985 for file sharing instead of disk sharing. Netware version 4 was released in 1993 and it was called as Novell directory service as it replaced the bindery with global directory service. In terms of security RSA public and private encryption was the newly introduced feature in v4. Latter version 5.x, version 6, version 6.5 were introduced with many enhancements. In terms of authentication in version 5.x it enabled Public key infrastructure service and in version 6.0 universal password and support for encryption was introduced.
At present Netware is used by some organizations and it is the only standard for file and print services of intelx86 server platform. 2009 Netware is used by large organizations which provide the flexibility they need.
Kerberos is an important authentication protocol; it is built on symmetric key cryptography. Kerberos version 5(RFC 1510) was developed in year 1993 with many enhancements in security features which were lacking in version 4. Kerberos is developed for client server mutual authentication in network.
Even operating systems like windows 2000 and many UNIX operating systems use Kerberos for user authentication. Microsoft uses RFC 3244 for changing and resetting password protocols which was developed with few additions to Kerberos suite of protocols.
RC4 HMAC(RFC 4757) is an another encryption type which is used as an alternate for DES based encryption type. It provides strong cryptography of (128 bit length), this is developed by Microsoft while implementing the RC4.
At present IETF Kerberos working committee is updating these specifications.
Kerberos v5 GSS API v2 (RFC 4121)
Kerberos v5 Network authentication service (RFC 4120)
Kerberos v5 Encryption and checksum specification RFC (3961)
Kerberos v5 AES (RFC 3962)
Let's see the procedure (mechanism) of Kerberos v5 authentication through GSS-API.
Kerberos Authentication from user perspective
Figure 2 Kerberos Authentication from users perspective
The client requests for ticket to KDC server and KDC issues a ticket by checking the user in database and issues a TGT(Ticket granting ticket) encrypted using secret key. Ticket granting service (TGS) and a session key are sent to user encrypted using secret key of user. Through the session key of user and TGS user authenticates to TGS server and obtains the services.
Kerberos Authentication with a LDAP client
Figure 3 Kerberos authentication with LDAP client.
.First client makes a request for ticket by authenticating himself.
The authentication sever issues a ticket to the user.
Then user starts an LDAP application client with these parameters
"mechanism = GSS-API"â€¦
"server host name"â€¦
LDAP calls the LDAP_SSL_BIND() function with GSS-API as mechanism for authentication . the DAP client send a a Kerberos ticket to LDAP server and request a service with user TGT.
The TGT sever issues a service ticket.
The service ticket is sent to LDAP server then LDAP sever verifies using GSS-API mechanism.
Finally issues the service based on authentication.
Procedure to Implement Authentication:
Implementing of Authentication Services can be classified in to 3 sections.
"Approaches to sensitive data"â€¦
"Security Strength vs. Business factors"..
Approach to Sensitive data.
1. Sensitive data is used by application to perform authentication, It is either password, keys or other information. Based on the way of handling the data Security either increases or decreases.
The rule of thumb is to "Isolate and Limit the use of the data".... Isolation of data is quiet difficult to implement but it can be implemented by using separate process and threads. Limiting the usage of the data is to confine the data only to the extent it is needed for the application latter it should be either cleared or removed from memory.
Persistent storage of information Local storages must not be used for persistent storage of data. The encrypted data and its keys must be stored in in different devices. Hardware devices like Tokens must be used, even message passing of sensitive data must make use of know secure protocols.
Usability includes external and internal. External include user, application and other things like ease of self-management, usage of hardware tokens, methods for lost, stolen and certificate acquisition. Internal manageability of authentication includes managing credentials, key-management of applications and servers and software implementation which includes library availability, easy of usage and complexity of update.
These are few points to be considered while implementing the authentication for an application.
Usage (manageability) of correct technology
The environment is equally important as strength of security component.
If usability is not considered ultimately the security suffers.
Choosing the appropriate authentication mechanism is important along with the technology which should answer effects of failure in security
LDAP employs only simple Authentication like verifying the password; it cannot establish a secure connection with other applications as Kerberos. LDAP requires the password transmission while Kerberos avoid it by using secrete key encryption techniques, tickets and third party. LDAP uses only id/password while Kerberos uses even hardware security like tokens.
These are few remarkable features in Kerberos which LDAP lacks.
Kerberos is suitable for client server model and multi-tier environment; it can establish a secure connection between the applications.
It provides services like mutual authentication, integrity, confidentiality.
It is suitable for heterogeneous network and widely used by many vendors and standards.
Present LDAP servers are compatible with SASL/GSS-API mechanism and uses Kerberos v5 for user authentication.
Novell directory services and active directory are always competitive and Microsoft product active directory proved to be better than Novell directory in recent years.
Security Active directory supports multiple authentication, even hardware security like smart cards are supported efficiently where as NDS does not support smart cards and multiple authentication.
"Confine to standards"  Active directory service made its features available through LDAP v3 and DNS based name space.
"Scalability"  Active directory scales to millions per partition and use the technologies like indexing to increase the performance i.e speed while NDS scales only to few thousands per partition and uses flat files to store data which is quiet slow.
"Synchronization and consolidation"  Active Directory provide synchronization support to the LDAP and accommodates application specific directory while NDS provides very limited synchronization support.
Active directory attracted the leading vendors while NDS failed to attract.
The future enhancement in the Internet directory and global directory is that they would be one and same thing.
To attain that they are two problems they are
1. Internet objects are named by Domain name
2. To connect all Intranet directory into a single global directory.
The latter versions of LDAPv3 are expected to solve the above problems of directories even to improve security through SASL mechanism and Kerberos.
NDS scalability and native support to LDAP v3 must be improved and security features like authentication to multiple environments and usage of hardware security(smart card etc) must be implemented.
Kerberos requires a continuous availability of central sever. If these sever goes down then no one can login so alternate methods must be implemented like e.g. multiple servers etc. Even the problem of synchronization of all clocks in clients must be fixed and alternate approaches must be implemented.
The administration protocol is to be standardized and there must not be any compromises in authentication infrastructure as every authentication is controlled by a centralized KDC.
GSSAPI provides an interface for implementation of services and security vendors provide implementation in form of libraries in different programming languages and authentication is implemented using these standards. Kerberos v5 is a widely used authentication protocol.
Directory access mechanism is implemented using LDAP v3 which in turn employs SASL and Kerberos v5 for authentication service. Different Authentication services are implemented by vendors through the standards and libraries. eg Microsoft . Active directory services are preferable compared to Novell Directory Services at present.
To improve authentication security and reliability all the drawbacks of Kerberos and other mechanisms must be fixed and the rule of thumb must be employed while implementing the procedures ( i.e Limit and Isolate data). And basic procedures must be followed.
 Network security essentials, William Stallings,2006 First impression ,ISBN 81-317-0366-5,chapter 1.3 security services, authentication.
,  Single sign on to eDirectory 8.8.2 using the SASL GSS-API mechanism, Anil Belur, 18/07/2007,GSS-API,Kerberos authentication with LDAP client.
, ,  Authentication in applications, Chad Cook, Guidelines for implementation.
 Authentication in applications, Chad Cook, Approaches to sensitive data.
, ,  This is a white paper from Microsoft, Windows developer centre, comparing Active directory services and Novell Directory services.
Figure 1, GSS-API Architecture
Figure 2, Kerberos authentication from users perspective
Figure 3, Kerberos authentication with LDAP Client