Mike Friedman, System and Network Security
 |
The campus people who use your web-based application can now securely identify themselves to your application using the CalNet Authentication Service (http://www.net.berkeley.edu/kerberos/documents/CalAuthDef.html). With this authentication method, you can be assured that your application is interacting with a specific student, staff or faculty member, or affiliate, regardless of where the connection is originating from (even halfway across the world). And your application need not collect from users sensitive personal information, such as birth dates or Social Security Numbers, in order to identify them.
The UC Berkeley CalNet system (http://calnet.berkeley.edu/) provides reliable access control (user authentication and authorization) for an increasing number of online campus services. Developers of campus web-based applications can now take advantage of a new facility, the CalNet Authentication Web Server (AWS), to identify their users in a secure manner. The capability of authenticating via the AWS may be added to an existing web application with just a modest effort; information on how to do this, including references to detailed documentation, is provided in this article.
For an overview of the CalNet system as a whole, please see the CalNet Gateway web page (http://calnet.berkeley.edu/).
Authentication is the means by which one party ascertains the identity of another. Because of the inherent insecurity of the data communication network (data traffic may be read, or even tampered with, by hostile parties), special mechanisms are required to ensure that the authentication process is a reliable one. For example, merely transmitting cleartext passwords over the network is not an adequate means of proving one's identity. Kerberos, a technology originally developed at MIT, provides for reliable authentication.
For further information about the Kerberos environment at UC Berkeley see the Kerberos V5 at UC Berkeley page (http://www.net.berkeley.edu/kerberos). An overview of the CalNet Authentication Service may be found on the CalNet Authentication Services page http://www.net.berkeley.edu/kerberos/documents/CalAuthDef.html).
Authorization is the process of deciding which access rights or privileges a particular user should have. This involves determining the attributes or roles of users, once they have been authenticated. The CalNet Directory Service (http://cia.berkeley.edu/directory/about.html) may be used by applications for user authorization.
The CalNet ID is an identifier which is used together with a secret passphrase to prove one's identity when accessing all CalNet-compliant online services. The Kerberos-based CalNet ID is a very secure credential and not just another userid and password. In fact, as more campus online services become CalNet-compliant, the number of different login IDs and passwords that faculty, staff, and students need to remember will decrease.
Students' CalNet IDs are set up as a byproduct of the campus registration process; faculty and staff activate their CalNet IDs after first identifying themselves in person to a departmental CalNet deputy. For a list of CalNet deputies see the CalNet Deputies page (http://uas.berkeley.edu:7355/calnet/deputies.html).
The AWS brings the CalNet Authentication service to web-based applications. Applications are truly Kerberos-compliant when they have been designed and written to incorporate the Kerberos authentication protocol. But because the integration of Kerberos into many web browsers is still not a reality, campus applications that are web-based cannot uniformly use Kerberos in its intended, fully-functional manner. Accordingly, we have designed a facility, based on what we call web proxy authentication, that takes advantage of most of the security provided by Kerberos, yet requires no modifications to browser (e.g., Netscape or IE) or web server (e.g., Apache or IIS) software. The AWS provides web proxy authentication as a central service to applications that choose to use it.
To make use of the AWS, web-based applications must include a small amount of special code. However this is straightforward and should not take much effort. A document addressed to application developers explaining how to implement AWS compliance is available at
http://www.net.berkeley.edu/kerberos/documents/AWSAppSetup.html
The basic idea is that the user's CalNet ID and secret passphrase are supplied to the AWS over a secure (SSL) connection and the AWS authenticates to Kerberos on behalf of the user. Using the browser as an "intermediary", the AWS sends information back to the application asserting that the user has been authenticated. The assertion is digitally signed, so the application can be assured that it did, in fact, come from the AWS.
It is important to understand the motivations for implementing web proxy authentication with a central server (rather than, for example, having each application use proxy Kerberos directly). There are three main considerations:
Allowing a proliferation of campus web servers that have access to users' passphrases is not a very good security model. The more such servers there are, the greater the chance of compromise of users' passphrases, which means potential compromise of all CalNet compliant applications.
Providing a single, trusted, well-advertised web server to do the actual authentication helps to promote the idea that you shouldn't send your secret passphrase to any web server that just happens to ask for it.
The code that actually implements Kerberos proxy authentication should reside in one place for ease of maintenance. This includes fixing software bugs that may be discovered, as well as making any later enhancements that might be required to handle new conditions (for example, changes in campus Kerberos policies).
Keep in mind that truly Kerberos-compliant client-server software (such as an upcoming version of CalAgenda) may also be deployed on campus, providing full Kerberos functionality. Such software, however, would have no need for the AWS, which is all we have addressed in this article.
If you are a campus application developer planning to use the AWS, please get in touch with us at calnet-admin@uclink.Berkeley.EDU and let us know the nature of your application, especially if you also have special requirements with respect to using the CalNet Directory for authorization.
[ Next Article | Contents | Search BC&C | BC&C Main Menu | IST | UC Berkeley ]
Berkeley Computing & Communications,
Volume 11, Number 4 (Fall 2001)
Copyright 2001, The Regents of the University of California