Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Central trusted authority provides computer authentication
Reexamination Certificate
1998-09-04
2002-06-11
Barron, Jr., Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Central trusted authority provides computer authentication
C713S152000
Reexamination Certificate
active
06405312
ABSTRACT:
BACKGROUND OF THE INVENTION
In present day networks and computer systems, the need for privacy and proper authentication of the network and computer Users is one of the foremost areas of concern. The Kerberos security system is generally used today as a developing standard for authenticating network Users, and is often used in the UNIX community and in the Unisys ClearPath systems where it is useful because it functions in a multi-vendor network and does not require the transmission of passwords over the network.
Kerberos operates to authenticate Users, that is to say, it determines if a User is a valid User. It does not provide other security services such as audit trails. Kerberos authentication is based on “passwords” and does not involve physical location or smart cards.
In order to implement Kerberos in a system, each computer in a network must run the Kerberos software. Kerberos works by granting a “ticket”, which ticket is honored by all of the network computers that are running the Kerberos protocol. The tickets are encrypted, so that passwords never go over the network in “clear text” and the Users do not need to enter their password when accessing a different computer.
Since there is often a need to run Kerberos on every single computer in a network, this sometimes presents a problem for potential Users. Considerable effort and time may be involved in porting Kerberos to each different hardware platform in the network. Kerberos users tended generally, to be large networks which were furnished with extended expertise. Since such resources were not generally available to smaller networks, it was sometimes a problem to make it available to smaller networks, which normally could not justify the cost and expense.
Kerberos networks are involved with the type of systems designated as “symmetric crypto-systems”. One type of symmetric crypto-system is called the “Kerberos Authentication System”. This type of system was discussed and published on the Internet by J. T. Kohl and D. C. Neuman in an article entitled “
The Kerberos Network Authentication Service”
, which was published in September 1993 on the Internet RFC 1510.
Kerberos uses symmetric key crypto-systems as a primitive and often uses the Data Encryption Standard (DES) as an inter-operability standard. Kerberos systems have been adopted as the basis for security service by the Open Software Foundations (OSF), and Distributed Computing Environment (DCE). Thus, Kerberos was designed to provide authentication and key-exchange, but were not particularly designed to provide digital signatures.
Thus, networks require systems and methods for securing communications which provide for one User to authenticate itself to another User, and additionally, this often required systems for securing communications which facilitated digital signatures being placed on a message, in order to provide for non-repudiation.
Kerberized environments involve the transmittal of messages, for example, from a server to a client, which leads to several major problems in these networks. These problems involve the situation of how to perform any number of useful functions in the Kerberos environment which may require unusual and flexible types of command structures.
The present disclosure involves the provision of a new User interface on a Unisys ClearPath NX Server, which then permits Users to perform many flexible Kerberos functions. Additionally, the User interface also permits the User to take advantage of certain networking security products of the Unisys ClearPath NX Server that provides a more secure network logon process.
SUMMARY OF THE INVENTION
A Kerberos Domain is provided whereby a client-user may communicate with a specialized client server and a Kerberos Server. The client server (ClearPath Server) provides a Menu-Assisted Resource Control program (MARC) which enables client requests to access a Kerberos Support Library via a Directive Interface. The client server
13
has a Universal Data Port
15
which communicates with a Kerberos Server
20
. The Kerberos Server has a Key Distribution Center
22
, a Key Table File
26
K a Kerberos Administrative Module
24
, and a Kerberos Database
28
which provide information and data to the Client Server
13
which has a configuration file
42
, a Key Table File
26
C and Encryption Library
32
, a UserData Module
36
, a General Security Service Application Program Interface Support Library
38
and the Master Control Program
60
, all of which interconnect to the Kerberos Support Library
34
.
The present method and system provides for the creation and implementation of a series of User commands to the Kerberos networks which allow the User to execute a variety of necessary functions whereby the User's request will be responded to by the Client Server Unit
13
.
The flexible and User functions involve giving the client-user the ability to inquire as to the list of Kerberos commands available, inquire and change the clock skew value, inquire and change the Debug options, obtain a ticket granting ticket, to destroy the client-user's previously active tickets, to inquire and/or manipulate a Key Table file, to find the principals in the Key Table file, to load and extract information from a Key Table file, to list the ticket granting tickets residing in the client-user's ticket cache, to load a configuration file into memory, to change the User's Principal Kerberos password in the Kerberos database, to add a User's ID to the Kerberos database, to inquire as to a Realm Name, and to change an option designated as the Re-play Detection Option.
REFERENCES:
patent: 5032979 (1991-07-01), Hecht et al.
patent: 5455953 (1995-10-01), Russell
Kerberos V5 Installation Guide. Massachusetts Institute of Technology (Copyright 1985-1999 and 1983) and OpenVision Technologies, Inc. (Copyright 1996) [retrieved on Dec. 12, 2000]. Retrieved from the Internet:°URL:www.helpdesk.umd.edu/linux/security/install<.*
Kerberos Commands. Cisco Systems Inc.. Copyright 1989-1997 [retrieved on Dec. 12, 2000]. Retrieved from the Internet: °URL:www.ieng.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_r/srprt2/sr_kerb.htm<.*
Unix Kerberos Commands. Doug Engert, dated Jan. 22, 1997 revised Feb. 6, 1997. [retrieved on Dec. 12, 2000]. Retrieved from the Internet: °URL: www.anl.gov/ECT/DCE/unixcmd.html<.
Barron Jr. Gilberto
Kozak Alfred W.
Rode Lise A.
Starr Mark T.
Unisys Corporation
LandOfFree
Kerberos command structure and method for enabling... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Kerberos command structure and method for enabling..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Kerberos command structure and method for enabling... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2976514