PennNet-21: Central Authentication Strategy Document

Central Authentication Infrastructure

PennNet-21 Strategy Document
Shumon Huque, University of Pennsylvania
Last revised: March 1st 2004

HISTORIC ISSUE/PROBLEM STATEMENT

The old central PennNet Authentication System (PAS) was used by a large and growing number of the network services available to the Penn community. But PAS had many shortcomings. It authenticated users by verifying reusable passwords that were transmitted over the network in the clear, which made it vulnerable to various forms of eavesdropping and password-guessing. It relied on custom network protocols designed at Penn, so any service that used PAS required non-standard software in order to authenticate users. It had no provisions for high availability. And it lacked Single Sign-on functionality that would make authentication easier and more convenient for users.

DIRECTION

The new Central Authentication System deployed at Penn is called "PennKey" and is based on Kerberos.

Kerberos is a standards-based central authentication system that employs symmetric key cryptrography. The authentication function is mediated by a set of trusted servers on the network called Key Distribution Centers (KDCs). The system provides mutual authentication, in which both parties in the communication (clients and servers) are authenticated to each other. It also provides facilities for session encryption and integrity protection. Kerberos prevents the transmission of user passwords over the network (in the clear or even encrypted). Passwords are only used to encrypt and decrypt time-limited cryptographic credentials which are subsequently used in the authentication function. A special service called the "ticket granting service" provides a much desired Single Sign-on capability.

The core Kerberos infrastructure consists of multiple (currently three) redundant Key Distribution Centers (KDCs) that provide the Kerberos authentication, ticket-granting and administration services. Each KDC is located in a distinct building on a distinct network (IP subnet) with redundant connectivity to the campus routing core via distinct routing equipment. The Kerberos protocol supports multiple servers and transparently fails over to alternate servers. This design provides a high availability central authentication service that is resistant to a wide variety of server and network failures, and even environmental disasters. All KDC server platforms are maximally secured against intrusion, even at the cost of making routine systems administration more difficult (eg. by limiting physical access to the server hardware and disallowing all unnecessary network services, including remote logins.) Sensitive KDC data does not appear on backup tapes in an unencrypted form, and any encryption keys required for backups are stored in physically secure facilities for disaster recovery purposes.

Additional software infrastructure provides convenient and secure facilities for online user account management and server principal and key management. A test Kerberos infrastructure provides facilities for Kerberos administrators to test new KDC software functionality. A RADIUS authentication service is also available to allow Kerberos password verification for applications that don't currently support native Kerberos authentication. In this scheme the application transmits the users Kerberos password in a cryptographically secure manner to a RADIUS service which subsequently authenticates the user to the Kerberos service. It is meant as a transitional mechanism only until the application can support the Kerberos protocol directly.

PROGRESS SO FAR

The core Kerberos infrastructure has been operational since the spring of 2000. The PAS service was retired in October 2002. Old PAS-authenticated services have either been transitioned to Kerberos authentication or re-architected to use the RADIUS service for Kerberos password verification as an interim step to direct use of Kerberos.

FUTURE PLANS

Milestones remaining to be completed include:

Investigate Two-factor authentication systems for increased security (combining Kerberos passwords with hardware tokens for pre-authentication.) Due to issues of cost, this functionality will most likely initially be considered for Kerberos system administrators only.
Implement a multi-master Kerberos Administration service (KADM).
Allow use of strong encryption key types only (3DES/RC4 128/AES 128/AES 256.)
Find native Kerberos authenticated solutions for some popular protocols: HTTP, 802.1X/EAP etc
Long-term migration of all clients from simple password verification via RADIUS to single-sign-on via Kerberos.
Retire legacy RADIUS password verification service.
Design and deploy Kerberos authenticated services for Central Authorization and Accounting.

REFERENCES

Shumon Huque, Lead Engineer
Information Systems & Computing, University of Pennsylvania