|
|
 |
| AuthAgent Kerberos |
| Embedded Kerberos V
Authentication |
|
AuthAgent Kerberos
is an embedded implementation of the Kerberos V
authentication protocol (RFC 4120) for client agents and network services
running on embedded platforms. Being fully interoperable with Unix® Kerberos Key
Distribution Centers (KDCs) and Microsoft® Active Directory Services in Windows®
servers, it allows for seamless secure authentication in heterogeneous
environments. With Kerberos becoming a preferred authentication mechanism for
several network security protocols and a required part of several industry
specifications, AuthAgent Kerberos provides a convenient way to add
highly-secure authentication to embedded devices.
|
|
|
|
|
|
|
|
|
|
|
|
| Secure Authentication |
| Transmission of
plain-text authentication information such as passwords
is clearly the weakest link in user authentication
systems. It is susceptible to "eavesdropping" where the
password itself is compromised, or "replay attacks" that
simply retransmit previously sniffed encoded passwords
to gain access to critical network services. The
Kerberos protocol was specifically designed to eliminate
the need to demonstrate possession of private or secret
information (the password) by divulging the information
itself. Additionally, AuthAgent Kerberos includes data
integrity checks to ensure that messages on the network
are not tampered with, and message privacy. |
|
|
|
|
Tickets and Key Distribution |
|
The basic unit that a Kerberos system uses
to avoid sending passwords in the clear is called a "ticket". A
Kerberos ticket is a record that allows a client to authenticate
itself to a service. It contains the client's identity, a
session key, a timestamp, and other information, all sealed
using the service's secret key. Kerberos tickets are given out
by an enterprise network service called the Key Distribution
Center (KDC), which supplies tickets and temporary session keys,
and hosts a database of users and services. AuthAgent Kerberos
provides the functionality for embedded network clients present
and store KDC granted tickets to any Kerberos-enabled network
services. It also includes the functionality to present the
initial Ticket Granting Ticket Granting Service (TGS) for
service-specific tickets. |
 |
|
 |
|
|
|
PKINIT |
|
AuthAgent Kerberos can perform the initial
authentication using X.509 formatted digital certificates as
described in RFC 4556 (Public Key Cryptography for Initial
Authentication in Kerberos – PKINIT). AuthAgent Kerberos’ PKINIT
implementation is interoperable Heimdal and Windows Active
Directory implementations when used in combination with TeamF1’s
AuthAgent X.509 product. AuthAgent X.509 accepts certificates as
files or as smartcard. Smartcard support is implemented using PKCS11. |
|
|
|
Single Logon |
|
When the principals being authenticated are
users, AuthAgent Kerberos enables a single sign-on solution.
Clients have to authenticate themselves only once to the KDC to
obtain an initial TGT ticket. Further service specific tickets
are automatically granted via a ticket-granting sevice (TGS)
during validity of the TGT. AuthAgent Kerberos allows
for caching the individual tickets allowing them to be re-used
until their validity expires, eliminating the need to repeatedly
request tickets for the same service. |
|
|
|
Kerberos-enabled Clients & Services |
|
AuthAgent Kerberos easily "kerberizes"
embedded clients, allowing standard network client applications
in any multi-platform environment to authenticate to
Kerberos-enabled services. Similarly, network services that need
to be Kerberos-enabled, and accept ticket-based authenticated
sessions, can be secured with AuthAgent Kerberos.
Kerberos-enabling of embedded clients and services is achieved
using very few simple API calls during session initiation or
initialization respectively. |
|
|
|
Standards-based Encryption |
|
AuthAgent Kerberos includes support for the
latest standards-based ciphers for data encryption and message
integrity verification, such as: |
 |
Triple-DES/DES |
|
|
AES |
|
|
SHA-1 |
|
|
MD-5 |
|
|
CRC |
|
|
|
|
Applications |
|
AuthAgent Kerberos may be used in
application-level protocols, such as telnet or FTP, to provide
"user to embedded device" security or as the implicit
authentication system of data streams or RPC mechanisms. It can
also be used at a lower level for "embedded device to host
security" or between embedded devices, in any standard or
proprietary network protocols including IP, UDP, and TCP. It
also finds application in larger credential based frameworks
such as GSS-API. AuthAgent Kerberos is designed to be used as a
standalone authentication mechanism in applications where only
access control is important, or as a seamless add-on to network
security solutions such as TeamF1’s SSHield SecureShell and V-IPSecure
IPsec/IKE, where its authentication can be used along with
network security protocols that protect data in transit. |
| |
|
|
|
