Central Authentication Infrastructure

PennNet-21 Strategy Document
Shumon Huque, University of Pennsylvania
Last revised: March 1st 2004


The old central PennNet Authentication System (PAS) was used by a large and growing number of the network services available to the Penn community. But PAS had many shortcomings. It authenticated users by verifying reusable passwords that were transmitted over the network in the clear, which made it vulnerable to various forms of eavesdropping and password-guessing. It relied on custom network protocols designed at Penn, so any service that used PAS required non-standard software in order to authenticate users. It had no provisions for high availability. And it lacked Single Sign-on functionality that would make authentication easier and more convenient for users.


The new Central Authentication System deployed at Penn is called "PennKey" and is based on Kerberos.

Kerberos is a standards-based central authentication system that employs symmetric key cryptrography. The authentication function is mediated by a set of trusted servers on the network called Key Distribution Centers (KDCs). The system provides mutual authentication, in which both parties in the communication (clients and servers) are authenticated to each other. It also provides facilities for session encryption and integrity protection. Kerberos prevents the transmission of user passwords over the network (in the clear or even encrypted). Passwords are only used to encrypt and decrypt time-limited cryptographic credentials which are subsequently used in the authentication function. A special service called the "ticket granting service" provides a much desired Single Sign-on capability.

The core Kerberos infrastructure consists of multiple (currently three) redundant Key Distribution Centers (KDCs) that provide the Kerberos authentication, ticket-granting and administration services. Each KDC is located in a distinct building on a distinct network (IP subnet) with redundant connectivity to the campus routing core via distinct routing equipment. The Kerberos protocol supports multiple servers and transparently fails over to alternate servers. This design provides a high availability central authentication service that is resistant to a wide variety of server and network failures, and even environmental disasters. All KDC server platforms are maximally secured against intrusion, even at the cost of making routine systems administration more difficult (eg. by limiting physical access to the server hardware and disallowing all unnecessary network services, including remote logins.) Sensitive KDC data does not appear on backup tapes in an unencrypted form, and any encryption keys required for backups are stored in physically secure facilities for disaster recovery purposes.

Additional software infrastructure provides convenient and secure facilities for online user account management and server principal and key management. A test Kerberos infrastructure provides facilities for Kerberos administrators to test new KDC software functionality. A RADIUS authentication service is also available to allow Kerberos password verification for applications that don't currently support native Kerberos authentication. In this scheme the application transmits the users Kerberos password in a cryptographically secure manner to a RADIUS service which subsequently authenticates the user to the Kerberos service. It is meant as a transitional mechanism only until the application can support the Kerberos protocol directly.


The core Kerberos infrastructure has been operational since the spring of 2000. The PAS service was retired in October 2002. Old PAS-authenticated services have either been transitioned to Kerberos authentication or re-architected to use the RADIUS service for Kerberos password verification as an interim step to direct use of Kerberos.


Milestones remaining to be completed include:


Shumon Huque, Lead Engineer
Information Systems & Computing, University of Pennsylvania