A case of identity: Kerberos
Question for our time: Who are you, and can you prove it?
Issue for our time: Achieving a balance
between freedom and security.
Increasingly, the computing solution for
these questions in these times is
Kerberos, a system of "strong
authentication" for computer users
invented at the Massachusetts Institute
of Technology, and already operating
at many universities and several
Department of Energy national
laboratories. The list includes Fermilab,
which adopted Kerberos for the CDF
and DZero experiment collaboration
computers during the past year, with a
goal of extending the protection to the
entire site by the end of 2001.
But the team responsible for adapting and implementing Kerberos at
Fermilab is emphatic about the balance point between freedom and
"If we do something a little differently and there's a real security
benefit, that's OK," said Matt Crawford, who is managing the
installation. "But if it means people can't work together, then that's
not OK. The primary goal is to allow the work of science."
Irwin Gaines agreed.
"Fermilab must maintain an open collaborative environment,
otherwise there is no science," said Gaines, who has led tutorial
workshops introducing lab employees to the ins and outs of the
coming system. "Kerberos is a way to make sure we know who
uses Fermilab computers. It's a procedure that makes sense for our
Kerberos strives for the best balance between security and freedom
by addressing the question of identity, and attempting to prevent
identity theft. Kerberos establishes proof of identity ("user
authentication") through cryptographic calculations at local
computers, with a central server validating the proof. Kerberos aims
to keep passwords from being transferred over networks, where
they are vulnerable to "sniffers:" programs that watch for passwords
going by, and harvest them for identity theft. Unfortunately, sniffers
"The nature of the Internet has changed," Gaines said. "The number
of people breaking into computers-not just Fermilab computers, but
computers all over the world-has grown exponentially. A person who
has stolen an identity can then log into a computer and assume that
identity. Because Fermilab computers are used by people all over
the world, users have to log in from a remote site. If they're typing a
password over the network, that password can be grabbed off the
network at any point."
Since an individual identity is precious, Gaines has cautioned his
workshop audiences to "treat your Kerberos password as a sacred
object. Don't write it down on a sticky and attach it to your computer
screen. Don't write it down, anywhere." In addition, a Kerberos
password must be different from any other password that an
Kerberos acts as a gatekeeper for access to certain high-priority
services, while leaving lower priority services alone. There will be
two access routes, via software or cryptocard. The first route
involves installing software on a desktop computer so a user can
prove a Kerberos identity locally. The desktop will exchange
information with the Key Distribution Center, which issues a key or
ticket good for a computer anywhere in the lab. The alternate route
involves a cryptocard, which produces a one-time password. A user
without a Kerberos identity will be given a cryptocard challenge
which, if passed, issues a one-time, one-use password.
"So even if it's seen," Gaines said, "it does no good because it's
Crawford, who Gaines said originated much of the plan, also
created the innovation of having the cryptocard challenge available
site wide. The cryptocard allows access from any computer on site,
any home computer, any traveling computer-as long as the user
brings the cryptocard along.
The Kerberos team, which has been operating for more than a year
and a half, includes Randy Reitz and Frank Nagy of the Computing
Department. Tom Nash and Computing Division Head Matthias
Kasemann act jointly as Computer Security Executive, reporting
directly to Fermilab Director Michael Witherell. Dane Skow is head
of the Fermilab Computer Security team, and deputy to Nash and
Kasemann. Crawford is Fermilab Computer Security Coordinator
and project manager. Gaines is deputy FCSC for the general
security domain and for training and education, while Donna Dyxon is
deputy FCSC for government and DOE liaison.
The lab also has what Gaines described as a "volunteer fire
department," the Fermilab Computer Incident Response Team.
Volunteers from many areas of the lab take turns being on call to
"put out fires," providing the first line of defense against unauthorized
access. Don Petravic is about to replace Skow as head of FCIRT.
Crawford admitted that Kerberos won't plug every hole, but pointed
to its widespread acceptance through its adoption by vendors
including Microsoft, Sun, Cisco, IBM and many others. In addition,
the goal for the security system is to maintain openness and
minimize disruptions in communicating scientific information.
"It's like putting all our eggs in one carefully-designed well-secured
basket," Crawford said. "Any system bugs or intruders can break
one egg, but we're pretty sure they can't get the whole basket."
by Mike Perricone
On the Web:
Kerberos at Fermilab http://www.fnal.gov/docs/strongauth