Network authentication service protocols

Network authentication service uses the Kerberos protocol in conjunction with Generic Security Services (GSS) APIs for authentication to provide authentication and security services.

The following sections provide a general description of these protocols and how they are used on the iSeries™. For more complete information about these standards, links have been provided to the associated Request for Comments standards and other external sources.

Kerberos protocol

The Kerberos protocol provides third party authentication where a user proves his or her identity to a centralized server, called a Kerberos server or key distribution center (KDC), which issues tickets to the user. The user can then use these tickets to prove his or her identity on the network. The ticket eliminates the need for multiple signons to different systems. The Network Authentication Service Application Programmable Interfaces (APIs) that the iSeries supports originated from Massachusetts Institute of Technology and have become the de facto standard for using the Kerberos protocol.

Security environment assumptions

The Kerberos protocol assumes that all data exchanges occur in an environment where packets can be inserted, changed, or intercepted at will. Use Kerberos as one layer of an overall security plan. Although the Kerberos protocol allows you to authenticate users and applications across your network, you should be aware of some limitations when you define your network security objectives:

The Kerberos protocol does not protect against denial-of-service attacks. There are places in these protocols where an intruder can prevent an application from participating in the correct authentication steps. Detection and solution of such attacks are typically best left to human administrators and users.
Key sharing or key theft can allow impersonation attacks. If intruders somehow steal a principal's key, they will be able to masquerade as that user or service. To limit this threat, prohibit users from sharing their keys and document this policy in your security regulations.
The Kerberos protocol does not protect against typical password vulnerabilities, such as password guessing. If a user chooses a poor password, an attacker might successfully mount an offline dictionary attack by repeatedly attempting to decrypt messages that are encrypted under a key derived from the user's password.

Kerberos sources

Requests for Comments (RFCs) are written definitions of protocol standards and proposed standards used for the Internet. The following RFCs may be helpful for understanding the Kerberos protocol:

RFC 1510: In RFC 1510: The Kerberos Network Authentication Service (V5), the Internet Engineering Task Force (IETF) formally defines Kerberos Network Authentication Service (V5).
To view the RFC listed above, visit the RFC index search engine located on the RFC editor web site. Search for the RFC number you want to view. The search engine results display the corresponding RFC title, author, date, and status.
Kerberos: The Network Authentication Protocol (V5): Massachusetts Institute of Technology's official documentation of the Kerberos protocol provides programming information and describes features of the protocol.

Generic Security Services (GSS) APIs

Generic Security Service Application Programmable Interfaces (GSS APIs) provide security services generically and are supported by a range of security technologies, like the Kerberos protocol. This allows GSS applications to be ported to different environments. Because of this reason, it is recommended that you use these APIs instead of Kerberos APIs. You can write applications that use GSS APIs to communicate with other applications and clients in the same network. Each of the communicating applications plays a role in this exchange. Using GSS APIs, applications can perform the following operations:

Determine another application's user identification.
Delegate access rights to another application.
Apply security services, such as confidentiality and integrity, on a per-message basis.

GSS API sources

Requests for Comments (RFCs) are written definitions of protocol standards and proposed standards used for the Internet. The following RFCs may be helpful for understanding the GSS APIs:

RFC 2743: In RFC 2743: Generic Security Service Application Program Interface Version 2, Update 1, the Internet Engineering Task Force (IETF) formally defines GSS APIs.
RFC 1509: In RFC 1509: Generic Security Service API : C-bindings the Internet Engineering Task Force (IETF) formally defines GSS APIs.
RFC 1964: In RFC 1964, The Kerberos Version 5 GSS-API Mechanism, the Internet Engineering Task Force (IETF) defines Kerberos Version 5 and GSS API specifications.

To view the RFCs listed above, visit the RFC index search engine located on the RFC editor web site. Link outside of the Information Center Search for the RFC number you want to view. The search engine results display the corresponding RFC title, author, date, and status.