|
Tickets and Key Distribution | Kerberos-enabled
Clients and Services | Single Logon | Secure
Authentication | Standards-based Encryption | Applications
AuthAgent Kerberos is an open-standards based implementation
of the Kerberos authentication mechanism. Based on
an open source implementation of Kerberos V, it is designed exclusively for embedded
platforms, and it includes the core functionality to enable Kerberos authentication
in clients and services. The Kerberos protocol (RFC 1510) specifies an authentication
and encryption scheme that allows a principal to become "known" by an
authenticating server and then use that authentication to access systems and services
on the network. AuthAgent Kerberos allows an organization to leverage its enterprise
network Kerberos servers to authenticate services and clients running on embedded
devices such as networking and storage equipment, connected smart appliances and
remotely managed industrial control applications.
Kerberos ticket is a record that allows a client to authenticate itself to a service.
It contains the client's identity, a session key, a timestamp, and other information,
all sealed using the service's secret key. Kerberos tickets are given out by an
enterprise network service called the Key Distribution Center (KDC), which supplies
tickets and temporary session keys, and hosts a database of users and services.
AuthAgent Kerberos provides the functionality for embedded network clients to
present and store KDC granted tickets to any Kerberos-enabled network services.
It also includes the functionality to present the initial Ticket Granting Ticket
(TGT) obtained from the KDC to the Ticket Granting Service (TGS) which grants
service-specific tickets.:
 Top
AuthAgent Kerberos easily “kerberizes” VxWorks clients, allowing standard
network client applications in any multi-platform environment to authenticate
to Kerberos-enabled services by requesting tickets from the Key Distribution Center
and Ticket Granting Service. Similarly, network services that need to be Kerberos-enabled,
and accept ticket-based authenticated sessions, can be secured with AuthAgent
Kerberos using a minimum number of API calls during initialization.
Top
When the principals being authenticated are users, AuthAgent Kerberos enables
a single sign-on solution, eliminating the need for users to have multiple passwords
and logon procedures. Clients have to authenticate themselves only once to the
KDC to obtain an initial TGT ticket. Further service specific tickets are automatically
granted via a ticket-granting service (TGS) during validity of the TGT, which
may cover the entire work period. Further, AuthAgent Kerberos allows for caching
the individual tickets allowing them to be reused until their validity expires,
eliminating repeated ticket requests for the same service.
Top
Transmission of plain-text authentication information such as passwords is clearly
the weakest link in user authentication systems. It is susceptible to “eavesdropping”
where the password itself is compromised, or “replay attacks” that
simply retransmit previously sniffed encoded passwords to gain access to critical
network services. AuthAgent Kerberos eliminates this problem by providing secure
authentication in networked environments, without the threat of passwords being
viewed while traveling across the network. The Kerberos protocol was specifically
designed to eliminate the need to demonstrate possession of private or secret
information (the password) by divulging the information itself. Additionally,
the protocol includes data integrity checks to ensure messages on the network
are not tampered with, and message privacy to ensure that messages are not visible
to eavesdroppers on the network.
Top
AuthAgent Kerberos includes support for the latest standards-based ciphers for
data encryption and message integrity verification, such as:
- DES
- Triple-DES
- SHA-1
- MD-5
- CRC
Top
AuthAgent Kerberos may be used in application-level protocols,
such as telnet or FTP, to provide “user to embedded device” security
or as the implicit authentication system of data streams or RPC mechanisms. It
can also be used at a lower level for “embedded device to host security”
or between embedded devices, in any standard or proprietary network protocols
including IP, UDP, and TCP. It also finds application in larger credential based
frameworks such as GSS-API. AuthAgent Kerberos is designed to be used as a standalone
authentication mechanism in applications where only access control is important,
or as an add-on to network security solutions such as TeamF1’s SSHield SecureShell,
where its authentication can be complemented with protocols that protect data
in transit.
Top
|
