In the field of Networking, Authentication is the primary step for a Secured Communication. An Authentication might use a set of protocols based on the importance of security. Authentication is to verify an identity and the identity may be a user, system or application. Authentication can be simple via password or in an encrypted format by using protocols like TLS this is called Basic authentication. A multi-factor authentication is one which uses combination of authentication methods and it uses a hardware security component like tokens for authentication process ex onetime password/phrase, Biometric information etc. Finally Cryptographic authentication is a secured and a complex approach it employees Digital signatures, MAC, public key authentication etc.
Before this let's identify the necessary of Authentication.
"Authentication Service is concerned with assuring that a communication is authentic. "... Authentication is to assure that the information sent to the recipient from the source is from the genuine source where it is intended to be from.
Authentication is used to avoid attacks like spoofing, phishing, Eavesdropping, man in middle and session hijacking etc.
To ensure that the applications be run in a secured environment and to avoid attacks on communication.
Authentication is also used to allocate privileges within the in the application and restrict the access at different levels.
Now let's categorize authentication based on services
1. Internal Service based Authentication.
2. External Service based Authentication.
In an Internal applications i.e. Local service based Authentication can implement their own authentication either by using the services available within the operating system or by using the existing Authentication Libraries for Authentication. Even a proprietary authentication scheme can be developed based on standard methodologies. But implementing one's own procedure is not recommended as it has a potential risks that it can be easily broken. If a proprietary scheme is to be developed then it is necessary to use the standard security technologies like encryption, Hashing, protocols etc Example usage Symmetric Encryption for Authentication.
Protocols like LDAP v3 uses PAM (Pluggable Authentication Module) for FTP, RLOGIN authentication of a user which is one of the Local Authentication Service. Even File Based Authentication and Unix/windows authentication services are used within the applications.
These are some of the widely used authentication services.
Authentication services at enterprise and global levels are a part large directory structures and services so, before we discuss on procedures and the standards of External service based Authentication Lets have a glimpse on concept of Directories and then we will discuss on LDAP v3 in detail.
Initially the concept of directories was introduced in the field of computing by telecommunications then all its requirements were analysed and set as a Suite of protocols called as X.500 Specifications in 1980. Directory Access Protocol (DAP) was used to access the services of X.500.Then the concept of LDAP was introduced to replace the DAP and it avoided the deployment on OSI (Open System Interconnection) which was mandatory before.
The GSSAPI (Generic Security Services API), is an interface where the security vendors provide implementations to it in form of Libraries and GSSAPI (RFC 2078) bindings provide authentication and security services to above services. These few standards of GSSAPI RFC 2743, RFC 1509, RFC 1964.
GSS-API authentication architecture.
RFC 1964 is a Kerberos v5 GSS-API mechanism which defines the conventions procedures and protocols to be employed while implementing GSSAPI Kerberos version 5 Technology.
RFC 1509 defines the c language bindings to GSSAPI where it allows the caller application to authenticate a principal identity of peer application to allocate right to peer and to apply security services such as integrity and confidentiality.
RFC 2743 provides the security services to the caller in a generic fashion and also allows source-level portability of an application to different environment.
LDAP (RFC 1777) is a powerful TCP/IP based protocol used to manipulate the directory content, searching, fetching and also it provides a way to access with rich set of security functions. The protocol suite is protected by SASL mechanism and TLS protocol for Client Server Authentication. LDAP protocol is also protected by an authenticated identity in client authorization and Resource Limitation is implemented by means of administrative limits on service controls.
LDAPv2 used SSL tunnelling for secure communication this was used as an alternate of TLS latter LDAPv3 (RFC 2251) was introduces with more enhancements in authentication procedures. Let's see the difference between authentication in v2 and v3 and there procedures. LDAP v2 has only 3 types of authentication they are anonymous, simple, Kerberos v4 while LDAP v3 employed SASL authentication framework (Simple Authentication and Security Layer RFC 2222) where client can employ any of the SASL mechanism like Kerberos v4, Digest-MD5, Cram-MD5 etc .Even new mechanisms of SASL can be used without changing LDAP. The Diagrammatic representation of protocols is shown below. LDAP v3 offers authentication through Bind operation
The function of Bind operation is to allow authentication information to be exchanged between the client and server. v3 protocol supports three types of authentication they are anonymous, simple and SASL authentication(RFC ).
A client request without Bind operation is treated as an anonymous client and in case of simple authentication it is done by username and password but here is a problem of viewing the password in network which is a plain text so, this can be avoided by encryption using protocols like SSL . SASL specifies a challenge response protocol used for exchange of information between client and server and it establishes a secured layer for communication.
There are Libraries in different programming languages for the above services. Where the applications make use of those libraries and implement authentication to work on a particular framework.
Active directory concept was introduced by Microsoft to provide network services like LDAP, Kerberos, and DNS based naming etc.
Active directory uses two types of authentications they are Mutual Authentication and NTLM Authentication.
In mutual authentication the client process proves its identity to server similarly server also proves its identity. Identity is proved through trusted third party and uses shared secrets through cryptographic means.
NTLM authentication is of three types.
First one is a basic LM i.e LAN Manager this is least secure form of challenge /response authentication. It is used for file sharing in share level security mode for workgroup using Microsoft windows, windows 95, windows 98.
NTLM version 1 is bit more secure than LM. It is used to connect clients using windows 2000 or latter to a server in Windows NT domain where atleat one domain controller using Windows NT 4.0 or earlier.
NTLM version 2 is more secure than above two it is used in clients as described in version 1 with an extra feature of running server in active directory domain
Novell Directory Services
NDS is a collection of objects representing the network nodes, services, users and applications. To gain access to database NDS client must authenticate to NDS server and DHCP options are used to carry the NDS information between the clients and the server. DHCP Option 1 is used to carry the list of NDS servers while option 2 and option 3 provide the default context confined within the NDS database.
Netware is a Network operating system developed in 1985 for file sharing instead of disk sharing. Netware version 4 was released in 1993 and it was called as Novell directory service as it replaced the bindery with global directory service. In terms of security i,e authentication RSA public and private encryption was the newly introduced feature in v4. Latter version 5.x, version 6, version 6.5 were introduced with many enhancements. In terms of authentication security in version 5.x directory enabled Public key infrastructure service and in version 6.0 universal password and support for encrypted was introduced.
At present Netware is used by some organizations and it is the actual standard for file and print service for intelx86 server platform. 2009 Netware is used by large organizations which provide the flexibility they need.
Kerberos is an important authentication protocol; it is built on symmetric key cryptography. Kerberos version 5(RFC 1510) was developed in year 1993 with many enhancements in security which were lacking in version 4. Kerberos is developed for client server mutual authentication in network.
Even operating systems like windows 2000 and many UNIX operating systems use Kerberos for user authentication. Microsoft uses RFC 3244 for changing and resetting password protocols which was developed with few additions to Kerberos suite of protocols.
RC4 HMAC(RFC 4757) is an another encryption type which is used as an alternate for DES based encryption type. It provides strong cryptography of (128 bit length), this is developed by Microsoft while implementing the Kerberos by using the MD5 HMAC for checksum on RC4 algorithm and used in Microsoft windows 2000.
At present IETF Kerberos working committee is updating these specifications.
Kerberos v5 GSS API v2 (RFC 4121)
Kerberos v5 Network authentication service (RFC 4120)
Kerberos v5 Encryption and checksum specification RFC (3961)
Kerberos v5 AES (RFC 3962)
Here is a list of few API which are used by the application designers which extended the functionality to support authentication which are standardized on a common interface.
Authentication via passwords (plain text)
Customized Authentication schemes
Hash based Authentication.
Kerberos via GSSAPI
One time password, keyed PIN s
We have already discussed 1 and 2 in the beginning. Let's see the procedure (mechanism) of implementing Hash based authentication and Kerberos v5 through GSS-API.
Kerberos Authentication from user perspective.
The client requests for ticket to KDC (1) and KDC issues a ticket by checking the user in database and issues a TGT(Ticket granting ticket) encrypted using Ticket granting service (TGS) and a session key encrypted using secret key of user. Through the session key of user and TGS user authenticates to TGS server and obtains the services.
Kerberos authentication with a LDAP client.
1 .First client makes a request for ticket by authenticating himself .
2. The authentication sever issues a ticket to the user.
3.Then user starts an LDAP application client where
'mechanism = GSS-API'â€¦
'server host name'â€¦
LDAP calls the LDAP_SSL_bind() function with GSS-API as mechanism for authentication . the DAP client send a a Kerberos ticket to LDAP server and request a service with user TGT.
4. The TGT sever issues a service ticket.
5. The service ticket is sent to LDAP server then LDAP sever verifies using GSS-API mechanism.
6.Finally issues the service based on authentication.
This basic procedure of implementing Authentication Services can be classified in to 3 sections.
"1. Approaches to sensitive data
2. Security Strength vs. Business factors
Approaches to Sensitive data.
1. Sensitive data is the important data used by application to perform authentication it can be either password, keys or other information. The way of handling this data either increases or decreases the security strength.
The rule of thumb is to "Isolate and Limit the use of the data"... to manipulate variables, structures and objects which handle the sensitive data. Isolation of data is quiet difficult to implement but it can be implemented by using separate process and threads. Limiting the usage of the data is to confine the data only to the extent it is needed for the application latter it should be either cleared or removed from memory this is especially applicable for strings and buffers which handle sensitive data.
Next is regarding persistent the storage of information. Local storages must not be used for persistent storage of data. One of the best way would be use encryption to encrypt the data and the keys must not be stored in the same devices. They are special hardware for storing secured information eg: Tokens even message passing of sensitive data must make use of know secure protocols.
In case of usability it includes external and internal. External implies it include user, application and other things like ease or difficulty self management for user, usage of hardware tokens, methods for lost or stolen and certificate acquisition. Internal manageability of authentication includes managing credentials, key management for the application and servers and software implementation which includes library availability, easy of usage and complexity of update.
These are few points while implementing the authentication for an application.
Usage (manageability) of correct technology
The environment is equally important as strength of security component.
If usability is not considered then ultimately the security suffers.
Choosing the appropriate authentication mechanism is important along with the technology which should answer effects of failure in security and also look at what is protected, from whom and by whom.
Critical evaluation of standards and procedures.
LDAP makes uses of Kerberos for authentication.
LDAP is used only for simple Authentication like verifying the password but to establish a secure connection with other applications then Kerberos is quite suitable.
LDAP requires the password transmission while Kerberos avoid it by using secrete key encryption techniques and tickets and third party.
LDAP uses only id/password while Kerberos employees even hardware security like tokens, smart card authentication.
These are the extra feature found in Kerberos which cannot be seen in LDAP
Kerberos is suitable for client server model and multi-tier environment, it can establish a secure connection between the applications.
It provides mutual authentication, integrity, confidentiality services.
It is suitable for heterogeneous network and is widely used by many vendors and standards.
Present LDAP servers are compatible with SASL/GSS-API mechanism and uses Kerberos v5 for user authentication.
Novell directory services and active directory are always competitive and where Microsoft product active directory always believed it can do better than Novell directory.
In terms of security Active supports multiple authentication, even hardware security like smart cards are supported efficiently where as NDS does not support smart cards and multiple authentication.
Confine to standards Active directory service made its entire feature available through LDAP v3 and DNS based name space.
"Scalability without complexity" Active directory scales to millions partition and use the technologies like indexing to increase the performance i.e speed while NDS scales only to few thousands per partition and uses flat files to store data which is quiet slow.
Synchronization and consolidation ADS provide synchronization support to the LDAP and accommodates application specific directory while NDS provides very limited synchronization support.
Active directory attracted the leading vendors while NDS failed to attract.
The future enhancement in the Internet directory and global directory be same would be one and the same thing.
To attain that they are two problems first is Internet objects are named by domain name and second is to connect all intranet directory into a single global directory.
The latter versions LDAPv3 is expected to solve the above problems of directories. LDAP is expected to achieve more security through SASL mechanism and using Kerberos.NDS is expected to extend its native support to LDAP v3and its scalability is to be improved even the authentication to multiple environments is to be improved and the usage of hardware security(smart card etc). "A standout AD feature change is the new read-only domain controller (RODC).Â "
Kerberos requires a continuous availability of central sever. If this sever goes down then no one can login an alternate suggestion to this is the usage of multiple servers.
Kerberos usage demands the synchronization of all clocks in clients as every ticket in Kerberos is time based, so if these clocks are not synchronized then authentication will fail.
The administration protocol is to be standardized and there must not be any compromises in authentication infrastructure as every authentication is controlled by a centralized KDC.
LDAP v3 would be the widely used directory access mechanism with x500 and Kerberos v5 is the most widely used service for authentication which is used by many vendors for their authentication ex Microsoft .GSSAPI provides the interface for implementation and usage of services from the libraries. Many enhancements are suggested in Novell directory services compared to active directory .
To improve authentication security and reliability all the drawbacks of Kerberos and other mechanisms must be fixed and the rule of thumb while implementing the procedure is to be enforced ( i.e limit and isolate).
Introduction to the subject -how well you motivate and justify the subject area.
Review, explanation and analysis of chosen technologies and current issues.
Critical evaluation of relevant issues. Depth of research, originality and synthesis of different sources.
Summary and Conclusions, prediction of the future -presentation, style and
format of technical report.
 William stallings