Next-Gen Solution: SSO via Kerberos and Smart Cards

There are alternatives to using passwords for authentication and one is smart cards. Since the Kerberos authentication protocol does not use passwords, smart card logins to Microsoft Windows via Active Directory can leverage Kerberos to achieve single sign-on. Because it is not sending passwords over the network, Kerberos provides an additional layer of security.

End-users can achieve single sign-on to their applications after logging in with their smart cards to Microsoft Windows. They would just insert their smart card into the card reader to log into their Windows desktop, then Windows would prompt them for their pin, which is used to authenticate them against Active Directory. When the end-user launches their applications, Kerberos authentication would interface with an Active Directory domain controller (acting as a KDC/Key Distribution Center) to obtain an encrypted service ticket for the server they wish to access.

As a result, end-users would no longer need to remember or be prompted for their applications’ passwords; all they would need to authenticate is their smart card and pin. If a smart card is lost, it would be replaced in one step. If a pin is forgotten, it could be retrieved through self-service pin recovery functionality that might employ a set of challenge questions and answers. In effect, the headache of manually replacing or recovering passwords would be eliminated.

Using smart card authentication with Kerberos benefits organizations because they would be able to put an end to the use of passwords as well as forgotten password scenarios. They would also have stronger authentication from using Kerberos and the added protection it provides by mutually authenticating the end-user and server they are accessing.

The Client-Side Versus Server-Side Debate

Some security solutions are installed and managed client-side, right on the users’ desktops, while others reside on the server. Depending on the size of your company, the resources available for managing product deployments and the needs of your user base, it may be imperative for your team to go with one type of install over another.Here are the considerations:

Client-side deployments:

  • The application needs to be installed on each user’s workstation
  • Better for smaller organizations
  • Integrates with existing password change procedures (no training user to “go to this Website, click this link…”)
  • Allows for richer functionality (a server-side product is not notified of events on user machines, such as logins, logouts, password changes, and screen saver unlocks, and thus cannot influence them)     
  • Does not require network connectivity, e.g., allows for offline recovery of password

Server-side deployments:

  • There is a one-time, single install
  • No end-user involvement
  • Best option for larger organizations
  • Best option for organizations with remote users
  • Program updates only need to be performed on the server(s) 
  • Program updates do not need to be tested on numerous client configurations (combinations of hardware and software can get very large)
  • If admin credentials are required for the software (e.g., to unlock accounts), they are located on the server(s) and can thus be better protected

What type of deployment would work best for you and your organization? Feel free to respond to this post and tell us your thoughts.

Strengthening Authentication to Adapt to Changing Circumstances

The growing number of enterprise applications, an increasing need for globally-based users to access systems, and employees working 24/7 in remote locations has created the security challenges that IT administrators are seeing in today’s corporate environment:

  • Ensuring only authorized individuals have access to specific data and systems
  • Diminishing the risk of data exposure and network attacks
  • Corporate mandates to employ security best practices
  • Increased government and industry standards for data and IT security
  • Multiple passwords for end-users to remember (and forget or lose)
  • Increased number of unique password stores and sets of password policies to manage

Securing the authentication process is a major step toward securing the enterprise, however you want to ensure the process maintains end-user productivity, avoids increasing Help Desk calls and incorporates best practices such as stronger authentication, login restrictions and password security rules. So, what would be the right solution for securing authentication? The “right solution” should possess the following characteristics:

  • Be appropriate for the level of risk posed by your IT environment;
  • Scalability to accommodate growth;
  • Interoperability with existing systems and future plans;
  • Auditing and reporting capabilities; and
  • Adequacy in light of changing risks, such as the evolving sophistication of compromise techniques.

We’ll have more on this subject in later posts, but please tell us if there are any characteristics that should be added to this list.

Kerberos Authentication Protocol: An Added Layer of Security

When Kerberos authentication is employed, there are no passwords sent over the network and the user and server are mutually authenticated, preventing server attacks and malicious programs that try to impersonate the server to get the user’s private information.

Originally developed at and used by the Massachusetts Institute of Technology (MIT), Kerberos has become the foundation for authentication in Windows operating systems since Microsoft implemented it as the default authentication mechanism in Windows 2000. Kerberos requires connectivity to a central Key Distribution Center (KDC), which, in Windows, is any Microsoft Active Directory domain controller. Users authenticate to the KDC, requesting encrypted service tickets for the specific service they wish to use (e.g. Web servers). Only the service and the KDC can decrypt the service ticket to get the user’s authentication information. The service trusts the credentials in the service ticket because it knows the ticket could only be created by the KDC and thus recognizes the user must have been authenticated by the KDC in order to receive the ticket.

Ideal for achieving single sign-on, Kerberos authentication enables users on Windows 2000, XP and Vista to just logon to a Windows domain at the start of their workday, as it provides further integration with Windows and Active Directory. Therefore, when the user wants to access a server for which they use Kerberos authentication, their browser retrieves the service ticket from the KDC and sends it to the server automatically.

(PistolStar is a founding sponsor of the MIT Kerberos Consortium)

Strong Authentication: Not Just a Buzz Word

Maintaining control over who gains access to the networks in your enterprise has become of even greater concern than ever before. Requiring authentication with just memorized passwords can prove to be inadequate in certain circumstances or in industries that deal with highly sensitive data. This is where strong authentication comes in.

Strong authentication is the use of more than one factor to authenticate and gain access to the enterprise. Organizations imposing strong authentication may require either two-factor or multi-factor authentication. A password can be one of the factors, which may also include a PIN, token, smart card, or a biometric identifier (e.g. a fingerprint or retinal pattern). With strong authentication, organizations eliminate the vulnerabilities of using passwords alone and gain a higher level of assurance their networks are protected from unauthorized access.

We suggest checking out the guidance on strong authentication in Internet banking from the Federal Financial Institutions Examinations Council.  It provides enlightenment on the subject that is relevant to all industries.

What is the Future of Password Authentication?

We know all too well the security issues related to passwords, the most notable being users with multiple passwords jotting them on notes left in plain sight in their cubicles. Even though password authentication solutions have become more sophisticated, providing single sign-on and password synchronization, the security drawbacks of password-based authentication methods have more noticeably reared their heads in recent years, mainly because hackers have become more clever and devised other ways to obtain, guess or crack passwords and gain access.

The main issue with password authentication is that it involves a single factor — the password — for gaining access. “Strong” authentication involves more than one factor (two-factor or multi-factor authentication). Those factors should include one each of two or all of the following factors: something the user knows (password, PIN), something the user has (smart card, token), and something the user is (a biometric characteristic such as a fingerprint). With two or three factors in play, an authentication method is harder to compromise.

Adoption of two-factor and multi-factor authentication methods has been slow, so it remains to be seen what the authentication methodology trend will be going down the road. Authentication solutions are currently available that boost the security of passwords by enforcing strict password policies, employing site keys, and incorporating Kerberos, which provides the added protection of mutual authenticating the end-user and the server to which they are seeking access. As organizations tighten their belts during the current economic downturn, will they invest in the later, more cost-efficient solutions rather than the more costly multi-factor authentication methods?