In present day networks and computer systems, the need for privacy and proper authentication of the network and computer Users is one of the foremost areas of concern. The Kerberos security system is generally used today as a developing standard for authenticating network Users, and is often used in the UNIX community and in the Unisys ClearPath systems where it is useful because it functions in a multi-vendor network and does not require the transmission of passwords over the network.
Kerberos operates to authenticate Users, that is to say, it determines if a User is a valid User. It does not provide other security services such as audit trails. Kerberos authentication is based on xe2x80x9cpasswordsxe2x80x9d and does not involve physical location or smart cards.
In order to implement Kerberos in a system, each computer in a network must run the Kerberos software. Kerberos works by granting a xe2x80x9cticketxe2x80x9d, which ticket is honored by all of the network computers that are running the Kerberos protocol. The tickets are encrypted, so that passwords never go over the network in xe2x80x9cclear textxe2x80x9d and the Users do not need to enter their password when accessing a different computer.
Since there is often a need to run Kerberos on every single computer in a network, this sometimes presents a problem for potential Users. Considerable effort and time may be involved in porting Kerberos to each different hardware platform in the network. Kerberos users tended generally, to be large networks which were furnished with extended expertise. Since such resources were not generally available to smaller networks, it was sometimes a problem to make it available to smaller networks, which normally could not justify the cost and expense.
Kerberos networks are involved with the type of systems designated as xe2x80x9csymmetric crypto-systemsxe2x80x9d. One type of symmetric crypto-system is called the xe2x80x9cKerberos Authentication Systemxe2x80x9d. This type of system was discussed and published on the Internet by J. T. Kohl and D. C. Neuman in an article entitled xe2x80x9cThe Kerberos Network Authentication Servicexe2x80x9d, which was published in September 1993 on the Internet RFC 1510.
Kerberos uses symmetric key crypto-systems as a primitive and often uses the Data Encryption Standard (DES) as an inter-operability standard. Kerberos systems have been adopted as the basis for security service by the Open Software Foundations (OSF), and Distributed Computing Environment (DCE). Thus, Kerberos was designed to provide authentication and key-exchange, but were not particularly designed to provide digital signatures.
Thus, networks require systems and methods for securing communications which provide for one User to authenticate itself to another User, and additionally, this often required systems for securing communications which facilitated digital signatures being placed on a message, in order to provide for non-repudiation.
Kerberized environments involve the transmittal of messages, for example, from a server to a client, which leads to several major problems in these networks. These problems involve the situation of how to perform any number of useful functions in the Kerberos environment which may require unusual and flexible types of command structures.
The present disclosure involves the provision of a new User interface on a Unisys ClearPath NX Server, which then permits Users to perform many flexible Kerberos functions. Additionally, the User interface also permits the User to take advantage of certain networking security products of the Unisys ClearPath NX Server that provides a more secure network logon process.
A Kerberos Domain is provided whereby a client-user may communicate with a specialized client server and a Kerberos Server. The client server (ClearPath Server) provides a Menu-Assisted Resource Control program (MARC) which enables client requests to access a Kerberos Support Library via a Directive Interface. The client server 13 has a Universal Data Port 15 which communicates with a Kerberos Server 20. The Kerberos Server has a Key Distribution Center 22, a Key Table File 26K a Kerberos Administrative Module 24, and a Kerberos Database 28 which provide information and data to the Client Server 13 which has a configuration file 42, a Key Table File 26C and Encryption Library 32, a UserData Module 36, a General Security Service Application Program Interface Support Library 38 and the Master Control Program 60, all of which interconnect to the Kerberos Support Library 34.
The present method and system provides for the creation and implementation of a series of User commands to the Kerberos networks which allow the User to execute a variety of necessary functions whereby the User""s request will be responded to by the Client Server Unit 13.
The flexible and User functions involve giving the client-user the ability to inquire as to the list of Kerberos commands available, inquire and change the clock skew value, inquire and change the Debug options, obtain a ticket granting ticket, to destroy the client-user""s previously active tickets, to inquire and/or manipulate a Key Table file, to find the principals in the Key Table file, to load and extract information from a Key Table file, to list the ticket granting tickets residing in the client-user""s ticket cache, to load a configuration file into memory, to change the User""s Principal Kerberos password in the Kerberos database, to add a User""s ID to the Kerberos database, to inquire as to a Realm Name, and to change an option designated as the Re-play Detection Option.