RFC 1507 (rfc1507) - Page 2 of 119

DASS - Distributed Authentication Security Service

Alternative Format: Original Text Document
< Previous
Next >
RFC 1507                          DASS                    September 1993


         A.2  Creating a User Principal ............................ 102
         A.3  Creating a Server Principal .......................... 103
         A.4  Booting a Server Principal ........................... 103
         A.5  A user logs on to the network ........................ 103
         A.6  An Rlogin (TCP/IP) connection is made ................ 104
         A.7  A Transport-Independent Connection ................... 104
    Annex B - Support of the GSSAPI ................................ 104
         B.1  Summary of GSSAPI .................................... 105
         B.2  Implementation of GSSAPI over DASS ................... 106
         B.3  Syntax ............................................... 110
    Annex C - Imported ASN.1 definitions ........................... 112
    Glossary ....................................................... 114
   Security Considerations ......................................... 119
   Author's Address ................................................ 119
   Figures
    Figure 1 - Authentication Exchange Overview ....................  24

1. Introduction

1.1 What is DASS?

   Authentication is a security service. The goal of authentication is
   to reliably learn the name of the originator of a message or request.
   The classic way by which people authenticate to computers (and by
   which computers authenticate to one another) is by supplying a
   password.  There are a number of problems with existing password
   based schemes which DASS attempts to solve.  The goal of DASS is to
   provide authentication services in a distributed environment which
   are both more secure (more difficult for a bad guy to impersonate a
   good guy) and easier to use than existing mechanisms.

   In a distributed environment, authentication is particularly
   challenging.  Users do not simply log on to one machine and use
   resources there.  Users start processes on one machine which may
   request services on another.  In some cases, the second system must
   request services from a third system on behalf of the user.  Further,
   given current network technology, it is fairly easy to eavesdrop on
   conversations between computers and pick up any passwords that might
   be going by.

   DASS uses cryptographic mechanisms to provide "strong, mutual"
   authentication.  Mutual authentication means that the two parties
   communicating each reliably learn the name of the other.  Strong
   authentication means that in the exchange neither obtains any
   information that it could use to impersonate the other to a third
   party.  This can't be done with passwords alone.  Mutual
   authentication can be done with passwords by having a "sign" and a
   "counter-sign" which the two parties must utter to assure one another



Kaufman
< Previous
Next >