== Authentication technologies == === Authentication using symmetric key cryptography === Key for encryption and decryption is the same (or easily derived from the other key). Needs a third party to establish a trust relation. In High energy Physics Kerberos4 and '''Kerberos5''' are used. Kerberos4 has security flaws and is largely replaced by Kerberos5. ==== Kerberos5 ==== Defined in [http://www.ietf.org/rfc/rfc4120.txt RFC4120], API defined in [http://www.ietf.org/rfc/rfc4121.txt RFC4121] Currently implemented in 3 major variants: MIT Kerberos, Heimdal Kerberos, Windows Kerberos ===== Talks at HEPiX meetings related to Kerberos ===== * BNL (Oct 04) [http://www.rhic.bnl.gov/hepix/talks/041018pm/fasanelli.pdf E.Fasanelli: INFN K5 project] * Edinburgh (May 04) [http://hepwww.rl.ac.uk/hepix/nesc/friebel.ppt W.Friebel: AFS file space administration with ARC version 2] * TRIUMF (Oct 03) [http://www.triumf.ca/hepix2003/pres/21-13/efasanelli/ E.Fasanelli: AFS cross cell authentication using Kerberos5] * NIKHEF (May 03) [http://www.nikhef.nl/hepix/pres/friebel4.ppt W.Friebel: Kerberos5 at DESY] * INFN (Apr 02) [http://www.ts.infn.it/events//hepix2002/talks/efasanelli1.ppt E.Fasanelli: W2K integration in the Kerberos 5 based AFS cell] * LAL (Apr 01) [http://events.lal.in2p3.fr/conferences/HEPIX/presentations/Thursday/Skow-FNAL-Security D.Skow: Strong Authentication Report at FNAL] ===== Software with Kerberos Support ===== Usually the software mentioned below does not come with Kerberos support by default, configuration or recompilation is required in most cases. * Webserver: IIS, Apache (so called Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) support) * Webclients: Internet Explorer, Mozilla, Firefox * Mailserver: Cyrus-IMAP, UW-IMAP * Mailclients: pine, Mozilla, Thunderbird * Batchsystems: SunGridEngine, LSF * Filesystems: AFS, NFSv4 * Libraries: PAM, GSSAPI, SASL, perl Modules(Authen-SASL, Authen-Krb5) * Protocols: Socks5 * Client/Server programs: openssh, telnet, ftp, su, arc, arcx Other UNIX software could be made Kerberos5 aware by using the SASL or GSS API. === Public key infrastructure ===