RFC 1507 (rfc1507) - Page 2 of 119
DASS - Distributed Authentication Security Service
Alternative Format: Original Text Document
RFC 1507 DASS September 1993
A.2 Creating a User Principal ............................ 102
A.3 Creating a Server Principal .......................... 103
A.4 Booting a Server Principal ........................... 103
A.5 A user logs on to the network ........................ 103
A.6 An Rlogin (TCP/IP) connection is made ................ 104
A.7 A Transport-Independent Connection ................... 104
Annex B - Support of the GSSAPI ................................ 104
B.1 Summary of GSSAPI .................................... 105
B.2 Implementation of GSSAPI over DASS ................... 106
B.3 Syntax ............................................... 110
Annex C - Imported ASN.1 definitions ........................... 112
Glossary ....................................................... 114
Security Considerations ......................................... 119
Author's Address ................................................ 119
Figures
Figure 1 - Authentication Exchange Overview .................... 24
1. Introduction
1.1 What is DASS?
Authentication is a security service. The goal of authentication is
to reliably learn the name of the originator of a message or request.
The classic way by which people authenticate to computers (and by
which computers authenticate to one another) is by supplying a
password. There are a number of problems with existing password
based schemes which DASS attempts to solve. The goal of DASS is to
provide authentication services in a distributed environment which
are both more secure (more difficult for a bad guy to impersonate a
good guy) and easier to use than existing mechanisms.
In a distributed environment, authentication is particularly
challenging. Users do not simply log on to one machine and use
resources there. Users start processes on one machine which may
request services on another. In some cases, the second system must
request services from a third system on behalf of the user. Further,
given current network technology, it is fairly easy to eavesdrop on
conversations between computers and pick up any passwords that might
be going by.
DASS uses cryptographic mechanisms to provide "strong, mutual"
authentication. Mutual authentication means that the two parties
communicating each reliably learn the name of the other. Strong
authentication means that in the exchange neither obtains any
information that it could use to impersonate the other to a third
party. This can't be done with passwords alone. Mutual
authentication can be done with passwords by having a "sign" and a
"counter-sign" which the two parties must utter to assure one another
Kaufman