1 Basic Concepts

Chapter Index

1. Kerberos
2. GSS-API
3. Java Implementation

This chapter gives some basic description of Kerberos protocol and GSS-API for the purpose of this article. It does not pretend to be absolutely correct from the point of view of few advance specialists in these issues.

1.1 Kerberos

Kerberos is a network authentication protocol. RFC 1510 defines it as

“... a means of verifying the identities of principals, (e.g., a workstation user or a network server) on an open (unprotected) network. This is accomplished without relying on authentication by the host operating system, without basing trust on host addresses, without requiring physical security of all the hosts on the network, and under the assumption that packets traveling along the network can be read, modified, and inserted at will.”

Here is an outline of how the protocol works:

• Kerberos authenticate principals. The principal is either a user or a service.
• Each principal is required to have its key registered with the Autentication Server (AS). The key is either a value derived from the user's password, or a random value stored in the keytab file.
• In order to get initially authenticated, the client uses an authentication program, such as kinit, to exchanges some data with AS. Client's principal key is used as an encryption key in this exchange. If the authentication succeeds, the clients obtains a Ticket Granting Ticket (TGT).
• Usually, TGT remains valid for several hours and is stored in the credentials cache. An actual type of the cache (file or memory), its location, and data format may vary among different authentication programs.
• Every time when the client is going to contact some remote service, it requests a ticket from the Ticket Granting Server (TGS) for that service principal, using existing TGT.
• Local credentials (in our case—Kerberos tickets) are forwarded to remote hosts using GSS-API.

More information can be found at:

• RFC 1510: The Kerberos Network Authentication Service (V5).
• Brian Tung. The Moron's Guide to Kerberos.
• Bruce Schneier. Applied Crypography. New York: John Wiley & Sons, 1996.

1.2 GSS-API

Generic Security Service Application Program Interface (GSS-API) is used to work with various mechanisms capable to transfer user credentials from one host to another. RFC 1964 specifies how GSS-API must work for Kerberos.

The goal of GSS is creation of a common security context for two peers. In order to establish the context, two nodes need to perform authentication by exchanging tokens. The authentication can be either mutual, when both nodes present credentials to each other, or non-mutual, when only the client is authenticated to the server.

From the context it is possible to figure out the names of both parties. In addition, if the context has been established through the mutual type of authentication, data exchange between two peers can use several per-message security services, such as: encryption, message integrity codes (MIC), sequence detection, and replay detection.

More information can be found at:

• RFC 1508: Generic Security Service Application Program Interface.
• RFC 1964: The Kerberos Version 5 GSS-API Mechanism.

1.3 Java Implementation

J2SE SDK contains an implementation of Kerberos V5 protocol for authentication and GSS-API starting from the version 1.4.

Kerberos authentication is a part of Java Authentication and Authorization (JAAS) package. It can be done by javax.security.auth.login.LoginContext class with Krb5LoginModule specified in the configuration file. In general, it works (JDK ver. 1.4.2). In reality, you have to adjust your environment, rather then trying to specify how to look for the necessary data on your computer. Implementation of underlying classes sometime is horrible and unflexible. MIT memory cache is not supported.

The principal class of GSS-API is org.ietf.jgss.GSSContext. Kerberos mechanism can be used by specifying proper OID (object identifier). Although the API itself looks quite complicated, its implementation works fine.

For more information, see:

• Mayank Upadhyay, Ram Marti. Single Sign-on Using Kerberos in Java.