To conduct their work, U.S. Department of Energy (DOE) researchers require access to a wide range of computing systems and information resources outside of their respective laboratories. Electronically communicating with peers using the global Internet has become a necessity to effective collaboration with university, industrial, and other government partners. DOE`s Energy Sciences Network (ESnet) needs to be engineered to facilitate this {open_quotes}collaboratory{close_quotes} while ensuring the protection of government computing resources from unauthorized use. Sensitive information and intellectual properties must be protected from unauthorized disclosure, modification, or destruction. In August 1993, DOE funded four ESnet sites (Argonne National Laboratory, Lawrence Livermore National Laboratory, the National Energy Research Supercomputer Center, and Pacific Northwest Laboratory) to begin implementing and evaluating authenticated ESnet services using the advanced Kerberos Version 5. The purpose of this project was to identify, understand, and resolve the technical, procedural, cultural, and policy issues surrounding peer-to-peer authentication in an inter-organization internet. The investigators have concluded that, with certain conditions, Kerberos Version 5 is a suitable technology to enable ESnet users to freely share resources and information without compromising the integrity of their systems and data. The pilot project has demonstrated that Kerberos Version 5 is capable of supporting trusted third-partymore » authentication across an inter-organization internet and that Kerberos Version 5 would be practical to implement across the ESnet community within the U.S. The investigators made several modifications to the Kerberos Version 5 system that are necessary for operation in the current Internet environment and have documented other technical shortcomings that must be addressed before large-scale deployment is attempted.« less
[1]
Jeffrey I. Schiller,et al.
An Authentication Service for Open Network Systems. In
,
1998
.
[2]
J.J. Tardo,et al.
SPX: global authentication using public key certificates
,
1991,
Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.
[3]
John Linn,et al.
The Kerberos Version 5 GSS-API Mechanism
,
1996,
RFC.
[4]
John Linn,et al.
Generic Security Service Application Program Interface
,
1993,
RFC.
[5]
Jerome H. Saltzer,et al.
Section E.2.1 Kerberos Authentication and Authorization System
,
1988
.
[6]
Ralph Howard,et al.
Data encryption standard
,
1987
.
[7]
C. Stoll.
The Cuckoo's Egg : Tracking a Spy Through the Maze of Computer Espionage
,
1990
.
[8]
Steven M. Bellovin,et al.
There Be Dragons
,
1992,
USENIX Summer.
[9]
Steven M. Bellovin,et al.
Packets found on an internet
,
1993,
CCRV.
[10]
David A. Borman.
Telnet Authentication: Kerberos Version 4
,
1993,
RFC.
[11]
Peter G. Neumann,et al.
Crypto policy perspectives
,
1994,
CACM.
[12]
John Linn.
Common Authentication Technology Overview
,
1993,
RFC.
[13]
David A. Borman.
Telnet Authentication Option
,
1993,
RFC.
[14]
John T. Kohl,et al.
The Kerberos Network Authentication Service (V5
,
2004
.
[15]
John T. Kohl,et al.
The Evolution of the Kerberos Authentication Service
,
1992
.
[16]
Steven M. Bellovin,et al.
Limitations of the Kerberos authentication system
,
1990,
CCRV.
[17]
Barbara Fraser,et al.
Site Security Handbook
,
1997,
RFC.