Single Sign On Architecture

Yangchun · 08-04-2006, 12:40 PM

i have problem to make my thesis.can anyone tell me about kerberos, single sign on and radius server? or maybe give me a references?

Will.Spencer · 08-04-2006, 10:33 PM

Kerberos is a network authentication protocol which utilizes symmetric cryptography to provide authentication for client-server applications.

The Kerberos Standard Definition

Kerberos is defined in RFC 1510 - The Kerberos Network Authentication Service (V5).

The Kerberos Architecture

The core of a Kerberos architecture is the KDC (Key Distribution Server). The KDC stores authentication information and uses it to securely authenticate users and services.

This authentication is called secure because it:

Does not occur in plaintext
Does not rely on authentication by the host operating system
Does not base trust on IP addresses
Does not require physical security of the network hosts

The KDC acts as a trusted third party in performing these authentication services.

Due to the critical function of the KDC, multiple KDC's are normally utilized. Each KDC stores a database of users, servers, and secret keys.
Kerberos clients are normal network applications which have been modified to use Kerberos for authentication. In Kerberos slang, they have been Kerberized.

The Kerberos Protocol

Kerberos defines ten messages that make up the Kerberos protocol:

1. KRB_AS_REQ - Kerberos Authentication Service
2. RequestKRBAS_REP - Kerberos Authentication Service
3. ReplyKRB_AP_REQ - Kerberos Application
4. RequestKRB_AP_REP - Kerberos Application
5. ReplyKRB_TGS_REQ - Kerberos Ticket Granting Service
6. RequestKRB_TGS_REP - Kerberos Ticket Granting Service
7. ReplyKRB_SAFE - Kerberos Safe (Checksummed) Application
8. MessageKRB_PRIV - Kerberos Private (Encrypted) Application
9. MessageKRB_CRED - Kerberos Credentiials
10. KRB_ERROR - Kerberos Error

Kerberos Implementations

MIT Kerberos is the reference implementation. MIT Kerberos supports DEC Unix, Linux, Irix, Solaris, Windows and MacOS.

Several other commercial and non-commercial Kerberos implementations are also available.

Microsoft added a slight modified version of Kerberos v5 authentication in Windows 2000.

Kerberos Weaknesses

Because the KDC's store secret keys for every user and server on the network, they must be kept completely secure. If an attacker were to obtain administrative access to the KDC, he would have access to the complete resources of the Kerberos realm.
Kerberos tickets are cached on the client systems. If an attacker gains administrative access to a Kerbos client system, he can impersonate the authenticated users of that system.

Kerberos Encryption Protocols

Kerberos uses the DES algorithm for encryption. Kerberos also supports the CRC-32, MD4, MD5, and DES algorithms for checksums. Kerberos implementations are free to add additional algorithms for encryption and checksumming.

Additional Reading on Kerberos

RFC 1510 is an excellent resource for understanding the Kerberos protocol.

The Kerberos FAQ is also very well written and answers many questions that you will have.

Will.Spencer · 08-04-2006, 10:35 PM

What is single sign-on?

Single Sign-On is a term which describes an enterprise-wide identity management system.
In a Single Sign-On system, each user has one username and one password for all of the systems, devices, and applications to which she has access.

The two methods utilized by Single Sign-On systems to do this are:

Password synchronization - The Single Sign-On system copies the username and password configuration to each system
Centralized account management - Each system is configured to query a central database for user authentication and authorization

Single Sign-On systems have the promise of saving IT organizations significant resources in terms of lost user time and reduced password resets. In addition, Single Sign-On systems can significantly increase the security of an IT environment.

Single Sign-On is often abbreviated SSO.

Will.Spencer · 08-04-2006, 10:36 PM

RADIUS (Remote Authentication Dial In User Service), defined in RFC 2865, is a protocol for remote user authentication and accounting.

RADIUS enables centralized management of authentication data, such as usernames and passwords.

When a user attempts to login to a RADIUS client, such as a router, the router send the authentication request to the RADIUS server. The communication between the RADIUS client and the RADIUS server are authenticated and encrypted through the use of a shared secret, which is not transmitted over the network.

The RADIUS server may store the authentication data locally, but it can also store authentication data in an external SQL database or an external Unix /etc/passwd file. The RADIUS server can also plug into a PAM (Pluggable Authentication Service) architecture to retrieve authentication data.

The role of the RADIUS server as the centralized authentication server makes is an excellent choice for also performing accounting.
RADIUS can significantly increase security by enabling the centralization of password management. Of course, the other side of that argument is that once you take over the RADIUS server, you have everything.
RADIUS servers are available from many vendors. In addition, GNU RADIUS is an excellent non-commercial option.

RADIUS utilizes the MD5 algorithm for secure password hashing.

RADIUS is the de facto authentication provider in 802.11i wireless networks.

Yangchun · 08-07-2006, 02:04 PM

thank for u explaination...
i have a little bit confused.
i want build a SSO on wireless lan. but i still confused with the SSO architecture. how many server needed to make the SSO distributed system?

any advice for me mr will?

Will.Spencer · 08-07-2006, 02:41 PM

SSO doesn't necessarily require a lot of servers, it requires that all of your network devices, servers, desktops, databases, and applications work together.

Let's say that you have a database in the center of your SSO architecture. This database can have a lot of fields, but the two most important fields are username and password.

That database could be RADIUS, LDAP, ActiveDirectory, etc...

Every network device, server, desktop, database, and application sofware package in your environment must be configured to use that one central database to retrieve those username and password combinations. This is the authentication component of AAA.

Other fields will be needed in that central database to store authorization information. That is, once the system knows who you are it also needs to know what you are authorized to do.

This is true SSO, where all of the systems share the same username and password. An alternative approach is to have application software on the central server which stores your single username and password -- and then stores individual usernames and passwords for each network device, server, desktop, database, and application which you are authorized to access. With this type of SSO, you login to the central server with one username and password and it logs you into everything else. You never know your actual passwords on any of the other systems.

SSO was having a lot of trouble gaining a foothold in the IT business market. It recently received two major boosts. The first was by combining with User Provisioning to become Identity Management (Idm). IdM offers a much greater value proposition to businesses. The second boost, now to IdM, comes from the myriad of well meaning but poorly written and confusing federal legislation that has become law in recent years. Sarbanes-Oxley and HIPAA are two of the major pieces of legislation, but there are many more. Businesses are implementing IdM in an attempt to meet the spirit of these laws. The laws are so poorly written and confusing so as to make meeting the letter of the law effectively irrelevant.

Yangchun · 08-16-2006, 03:36 PM

thank u mr will 4 ur advice, u help me much... i'll try it...