Browse Prior Art Database

Secure Generic Authentication for Distributed Computing Environment Applications

IP.com Disclosure Number: IPCOM000115588D
Original Publication Date: 1995-May-01
Included in the Prior Art Database: 2005-Mar-30
Document File: 2 page(s) / 78K

Publishing Venue

IBM

Related People

Kolban, N: AUTHOR

Abstract

The Distributed Computing Environment (DCE) developed by the Open Software Foundation (OSF) provides a powerful security model and implementation. In particular it provides the capability to authenticate users and programs across a number of heterogeneous machines.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Secure Generic Authentication for Distributed Computing Environment
Applications

      The Distributed Computing Environment (DCE) developed by the
Open Software Foundation (OSF) provides a powerful security model and
implementation.   In particular it provides the capability to
authenticate users and programs across a number of heterogeneous
machines.

      DCE Applications which wish to make use of the DCE
authentication mechanisms must either explicitly have DCE security
API calls coded within them or the user must authenticate his/her
whole session.  Currently the only way to authenticate a whole
session is with the DCE supplied application called "DCE_LOGIN".
DCE LOGIN takes a principal name (USERID) and a password as
parameters and authenticates the session, subsequent commands invoked
from that session are executed in the authentication context
previously obtained.

      For server programs (e.g., non interactive) there may not be a
login or authentication contexts available and hence they may not be
able to use the facilities of DCE since the DCE servers require that
the user be authenticated.   THE "DCE_LOGIN" program does provide a
mechanism to execute arbitrary programs but the clear text password
must also be known.   This presents security exposure for server
programs.

      The problem is overcome by running an application which uses
the properties of the DCE interface to manage the authentication
process for server programs.   The application is referred to herein
as 'SECSET'.

      The DCE Security API Architects a mechanism known as "Keyfile"
caching.   This entails encrypting the clear text password and
storing it in a user level file.  The DCE authentication security is
now passed to the underlying operating system capabilities to
maintain security on the file.   Additionally, DCE principal
passwords saved in "Keyfiles" can be...