friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzakh_5.4.0.1/rzakhprotocol.htm

128 lines
8.4 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Network authentication service protocols" />
<meta name="abstract" content="Network authentication service uses the Kerberos protocol in conjunction with Generic Security Services (GSS) APIs for authentication to provide authentication and security services." />
<meta name="description" content="Network authentication service uses the Kerberos protocol in conjunction with Generic Security Services (GSS) APIs for authentication to provide authentication and security services." />
<meta name="DC.Relation" scheme="URI" content="rzakhconcept.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzakhprotocol" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Network authentication service protocols</title>
</head>
<body id="rzakhprotocol"><a name="rzakhprotocol"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Network authentication service protocols</h1>
<div><p>Network authentication service uses the Kerberos protocol in conjunction
with Generic Security Services (GSS) APIs for authentication to provide authentication
and security services.</p>
<p> The following sections provide a general description of these protocols
and how they are used on the iSeries™. For more complete information about these
standards, links have been provided to the associated Request for Comments
standards and other external sources.</p>
<div class="section"><h4 class="sectionscenariobar">Kerberos protocol</h4><p>The
Kerberos protocol provides third party authentication where a user proves
his or her identity to a centralized server, called a Kerberos server or key
distribution center (KDC), which issues tickets to the user. The user can
then use these tickets to prove his or her identity on the network. The ticket
eliminates the need for multiple signons to different systems. The <a href="../apis/krb5list.htm">Network Authentication Service Application
Programmable Interfaces (APIs)</a> that the iSeries supports originated from Massachusetts
Institute of Technology and have become the de facto standard for using the
Kerberos protocol.</p>
<p><strong>Security environment assumptions</strong></p>
<p>The
Kerberos protocol assumes that all data exchanges occur in an environment
where packets can be inserted, changed, or intercepted at will. Use Kerberos
as one layer of an overall security plan. Although the Kerberos protocol allows
you to authenticate users and applications across your network, you should
be aware of some limitations when you define your network security objectives:</p>
<ul><li>The Kerberos protocol does not protect against denial-of-service attacks.
There are places in these protocols where an intruder can prevent an application
from participating in the correct authentication steps. Detection and solution
of such attacks are typically best left to human administrators and users.</li>
<li>Key sharing or key theft can allow impersonation attacks. If intruders
somehow steal a principal's key, they will be able to masquerade as that user
or service. To limit this threat, prohibit users from sharing their keys and
document this policy in your security regulations.</li>
<li>The Kerberos protocol does not protect against typical password vulnerabilities,
such as password guessing. If a user chooses a poor password, an attacker
might successfully mount an offline dictionary attack by repeatedly attempting
to decrypt messages that are encrypted under a key derived from the user's
password.</li>
</ul>
<p><strong>Kerberos sources</strong></p>
<div class="p">Requests for Comments (RFCs) are written
definitions of protocol standards and proposed standards used for the Internet.
The following RFCs may be helpful for understanding the Kerberos protocol:<dl><dt class="dlterm">RFC 1510</dt>
<dd>In RFC 1510: The Kerberos Network Authentication Service (V5), the Internet
Engineering Task Force (IETF) formally defines Kerberos Network Authentication
Service (V5).<p>To view the RFC listed above, visit the <a href="http://www.rfc-editor.org/rfcsearch.html" target="_blank">RFC index
search engine</a> located on the <a href="http://www.rfc-editor.org/" target="_blank">RFC editor</a> <img src="www.gif" alt="Link outside of the Information Center" />web site. Search for the RFC number
you want to view. The search engine results display the corresponding RFC
title, author, date, and status.</p>
</dd>
<dt class="dlterm"><a href="http://web.mit.edu/kerberos/www/" target="_blank">Kerberos:
The Network Authentication Protocol (V5)</a></dt>
<dd>Massachusetts Institute of Technology's official documentation of the
Kerberos protocol provides programming information and describes features
of the protocol. <img src="www.gif" alt="Link outside of the Information Center" /></dd>
</dl>
</div>
</div>
<div class="section"><h4 class="sectionscenariobar">Generic Security Services
(GSS) APIs</h4><p><a href="../apis/gsslist.htm">Generic
Security Service Application Programmable Interfaces (GSS APIs)</a> provide
security services generically and are supported by a range of security technologies,
like the Kerberos protocol. This allows GSS applications to be ported to different
environments. Because of this reason, it is recommended that you use these
APIs instead of Kerberos APIs. You can write applications that use GSS APIs
to communicate with other applications and clients in the same network. Each
of the communicating applications plays a role in this exchange. Using GSS
APIs, applications can perform the following operations:</p>
<ul><li>Determine another application's user identification.</li>
<li>Delegate access rights to another application.</li>
<li>Apply security services, such as confidentiality and integrity, on a per-message
basis.</li>
</ul>
<strong>GSS API sources</strong><div class="p">Requests for Comments (RFCs) are written definitions
of protocol standards and proposed standards used for the Internet. The following
RFCs may be helpful for understanding the GSS APIs:<dl><dt class="dlterm">RFC 2743</dt>
<dd>In RFC 2743: Generic Security Service Application Program Interface Version
2, Update 1, the Internet Engineering Task Force (IETF) formally defines GSS
APIs.</dd>
<dt class="dlterm">RFC 1509</dt>
<dd>In RFC 1509: Generic Security Service API : C-bindings the Internet Engineering
Task Force (IETF) formally defines GSS APIs.</dd>
<dt class="dlterm">RFC 1964</dt>
<dd>In RFC 1964, The Kerberos Version 5 GSS-API Mechanism, the Internet Engineering
Task Force (IETF) defines Kerberos Version 5 and GSS API specifications.</dd>
</dl>
</div>
<p>To view the RFCs listed above, visit the <a href="http://www.rfc-editor.org/rfcsearch.html" target="_blank">RFC index
search engine</a> located on the <a href="http://www.rfc-editor.org/" target="_blank">RFC editor</a> web site. <img src="www.gif" alt="Link outside of the Information Center" /> Search for the RFC number you want
to view. The search engine results display the corresponding RFC title, author,
date, and status.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakhconcept.htm" title="Network authentication service supports Kerberos protocols and Generic Security Service (GSS) APIs that provide user authentication in a network.">Concepts</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink