How Authentication Is Used in Network Applications

You can use cryptographic authentication to solve an importantsecurity problem found in many network applications: the transmission ofpasswords in plain text. Without cryptographic authentication, a client mustidentify itself by sending a plain-text username and password.

For example, assume your Internet email account name is Harpo and yourpassword is swordfish. If your email service has POP3, the service uses thefollowing sequence of commands and responses to retrieve messages (C: denotes amessage from the client to the server; S: denotes a response from the server tothe client):

If your email service has Internet Mail Access Protocol 4 (IMAP4), theservice uses similar commands and responses to retrieve messages. In eithercase, anyone with access to your network and a network sniffer can easily seeyour valid username and password. Intruders can also use various softwareutilities (such as NT 4.0's Network Monitor) designed to access all networkmessages to learn your username and password. And the intruders don't even needto be on site. They can use a remote client to access your network if your LANis connected to the Internet without adequate safeguards, such as a firewall.

You don't have to fall victim to intruders, however. Several preventivemeasures exist, and the most common one is Kerberos.

For a Kerberos measure to work, you need to meet three requirements. First,you must have a properly installed Kerberos authentication server on yournetwork. Second, the authentication server must recognize your mail user andemail server. Third, your email client and server software must support Kerberosauthentication.

In POP3, the authentication process is in the optional AUTH command. (RFC1734 defines AUTH.) This command supports authentication with a variety ofmechanisms. The basic idea is for the client to request cryptographicauthentication via some scheme (in this example, Kerberos 4).

If the POP3 server supports the AUTH command, the server and the client gothrough a short Kerberos challenge/response exchange, using information obtainedfrom a common Kerberos authentication server or ticket-granting service. If theclient supplies appropriate Kerberos credentials during the exchange, the serveraccepts the connection.

In IMAP4, the authentication process is also optional. The basic IMAPstandard (RFC 2060) contains the authentication definitions. With theauthentication process, the exchange between the client and server looks likethe following:

Five important events occur when you use a Kerberos authentication process:

1. The server knows that the client is who it claims to be.

2. The client knows that the server is who it claims to be.

3. The client and server securely exchange a DES session key.

4. At no time is the user's name or password sent over the Internetin plain text.

5. If a third party records the exchange, it cannot play back themessage to obtain fraudulent access to the system because timestamps are used inthe exchange.

You can further benefit from the authentication process if you takeadvantage of an option in POP3 and IMAP4. Ordinarily, authentication processescreate a DES session key for one particular connection--the key is never usedagain. In POP3 and IMAP4, however, you can implement a protection mechanism thatwill let you use a DES session key to encrypt all subsequent messages. Thisprotection mechanism will prevent hackers from impersonating a valid user andfrom viewing the contents of emails (regardless of whether traffic has beensecured with end-to-end encryption schemes). Unfortunately, the protectionmechanism is in effect only for data being exchanged between an email client(user agent) and the local server. In addition, it works only during emailretrieval.