Network authentication service protocols

Network authentication service uses the Kerberos protocol in conjunction with Generic Security Services (GSS) APIs for authentication to provide authentication and security services.

This topic provides a general description of the network authentication service protocols and how they are used in the IBM® i environment. For more complete information about these standards, links are provided to the associated Request for Comments standards and other external sources.

Kerberos protocol

The Kerberos protocol provides third-party authentication where users prove their identities to a centralized server, called a Kerberos server or key distribution center (KDC), which issues tickets to the users. The users can then use these tickets to prove their identities on the network. The ticket eliminates the need for multiple sign-ons to different systems. The Network Authentication Service APIs that the IBM i environment supports originated from Massachusetts Institute of Technology and have become the de facto standard for using the Kerberos protocol.

Security environment assumptions

The Kerberos protocol assumes that all data exchanges occur in an environment where packets can be inserted, changed, or intercepted at will. Use Kerberos as one layer of an overall security plan. Although the Kerberos protocol allows you to authenticate users and applications across your network, you should be aware of some limitations when you define your network security objectives:

The Kerberos protocol does not protect against denial-of-service attacks. There are places in these protocols where an intruder can prevent an application from participating in the correct authentication steps. Detection and solution of such attacks are typically best left to human administrators and users.
Key sharing or key theft can allow impersonation attacks. If intruders somehow steal a principal's key, they will be able to masquerade as that user or service. To limit this threat, prohibit users from sharing their keys and document this policy in your security regulations.
The Kerberos protocol does not protect against typical password vulnerabilities, such as password guessing. If a user chooses a poor password, an attacker might successfully mount an offline dictionary attack by repeatedly attempting to decrypt messages that are encrypted under a key derived from the user's password.

Kerberos sources

Requests for Comments (RFCs) are written definitions of protocol standards and proposed standards used for the Internet. The following RFCs might be helpful for understanding the Kerberos protocol:

RFC 1510: In RFC 1510: The Kerberos Network Authentication Service (V5), the Internet Engineering Task Force (IETF) formally defines Kerberos Network Authentication Service (V5).
To view the RFC listed, visit the RFC index search engine located on the RFC editor Web site. Search for the RFC number you want to view. The search engine results display the corresponding RFC title, author, date, and status.
Kerberos: The Network Authentication Protocol (V5): Massachusetts Institute of Technology's official documentation of the Kerberos protocol provides programming information and describes features of the protocol.

Generic Security Services (GSS) APIs

Generic Security Services Application Programming Interfaces (GSS APIs) provide security services generically and are supported by a range of security technologies, like the Kerberos protocol. This allows GSS applications to be ported to different environments. Because of this reason, it is recommended that you use these APIs instead of Kerberos APIs. You can write applications that use GSS APIs to communicate with other applications and clients in the same network. Each of the communicating applications plays a role in this exchange. Using GSS APIs, applications can perform the following operations:

Determine another application's user identification.
Delegate access rights to another application.
Apply security services, such as confidentiality and integrity, on a per-message basis.

GSS API sources

Requests for Comments (RFCs) are written definitions of protocol standards and proposed standards used for the Internet. The following RFCs might be helpful for understanding the GSS APIs:

RFC 2743: In RFC 2743: Generic Security Service Application Program Interface Version 2, Update 1, the Internet Engineering Task Force (IETF) formally defines GSS APIs.
RFC 1509: In RFC 1509: Generic Security Service API: C-bindings, the Internet Engineering Task Force (IETF) formally defines GSS APIs.
RFC 1964: In RFC 1964, The Kerberos Version 5 GSS-API Mechanism, the Internet Engineering Task Force (IETF) defines Kerberos Version 5 and GSS API specifications.

To view the RFCs listed, visit the RFC index search engine located on the RFC editor Link outside of the Information Center Web site. Search for the RFC number you want to view. The search engine results display the corresponding RFC title, author, date, and status.