23
Mon, Dec
3 New Articles

Weaving WebSphere: SSH, SSL, and Kerberos

Development Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
"They that can give up essential liberty to obtain a little temporary security deserve neither liberty nor security."
--Ben Franklin

"They that can give up essential security to make their jobs a little easier deserve neither security nor a job."
--Joe Pluta

In reality, my paraphrase is probably a bit alarmist. The issues I'll talk about today don't necessarily present a great danger to your essential security services. At the same time, you should at least make a careful mental note that security is becoming a much more complex task and that decisions you make can greatly affect your environment.

In this article, I present three of the major security protocols: Secure Shell (SSH), Secure Sockets Layer (SSL), and Kerberos. While the world seems to be rushing headlong into Kerberos support, spurred on by the growing clamor for single sign-on, I thought it might make sense to review some of the different options to lend some perspective to the decision-making process. I'll explain how the different protocols work and where they are the most appropriate. I'll also delve a little deeper into the strengths and weaknesses of Kerberos.

Our Three Competitors

There are probably dozens of security techniques. Why did I pick SSH, SSL, and Kerberos? My primary reason is that I kept getting these confused myself. I hoped that by doing some real research on the topic for you, my loyal reader, I would finally get the terms straight in my head. And as it turns out, while I've learned a lot about these various protocols, I find that the issues aren't nearly as clear-cut as I would have liked.

About the only thing these different techniques have in common is that they all can use some variant of public key cryptography. The way this works is that there are two keys, the public key and the private key (together, these are called a digital key pair). The public key is used to encode messages. Once a message is encoded, only the private key can decode them. You keep the private key secure and give the public key to the rest of the world. They can then encrypt messages with reasonable (though not 100%) assurance that nobody besides you can read them.

SSH

SSH is perhaps the simplest of the three. SSH is a very flexible protocol whose purpose is to set up an encrypted tunnel between one machine and another. With SSH, you can use either a simple user ID and password or a digital key pair. SSH was originally designed to support secure versions of console login (Telnet) and file transfer (FTP). The SSH software by definition supports these two functions. Additionally, once an SSH tunnel is created, you can route all other IP-based applications through it, including HTTP. So, in theory, SSH supports any application.

SSH has two primary versions right now, SSH-1 and SSH-2. At this time, SSH-2 is not as widely supported as SSH-1, and the two are incompatible. While SSH-2 provides a number of additional features and is a very powerful evolutionary step from SSH-1, the lack of universal support can be a problem. The good news is that a couple of the major open source products, OpenSSH and Eclipse, have announced support for SSH-2.

The biggest problem with SSH is that it does not truly authenticate the host. This is a concept we usually don't think about, but as important as it is to make sure that the client is who he says he is, the same holds true for the server. Otherwise, you can be getting bogus data; more importantly, you can find yourself entering sensitive information into a spoofed server. SSH bypasses this sort of security, and because no certificates are involved, once an SSH relationship has been breached, there's no way to revoke that authority.

SSL

Netscape developed the proprietary SSL protocol specifically to secure HTTP communications. SSL uses digital certificates that adhere to the X.509 standard to verify the communication. Unlike SSH and Kerberos, X.509 is the only certification method used for SSL. You can either use a single certificate to validate the server or use an optional second certificate to validate the client as well. The single-certificate method is the most widely used method of secure communications for WWW communications; this is what you use when you access a URL that starts with "https" rather than "http."
SSL is a well-established protocol. It has an open source version, OpenSSL, and it even has an IETF spin-off, Transport Layer Security (TLS), which you can read about as RFC 2246). TLS is the open standard version of SSL3, which removes the minor quibble that SSL was a "Netscape thing." The biggest downside to SSL is that it requires a third-party certificate authentication system, such as the VeriSign Certificate Authority, to verify that the certificate is valid. That means you are at their mercy when it comes to server availability and certificate verification. You may recall that the Verisign certificate itself expired back in January, causing a bit of trouble for people using SSL.

You'll often hear about "self-signed" certificates, which essentially bypass the server authentication. They set up a secure tunnel, but you really don't know who is on the other end. From that standpoint, a self-signed SSL certificate is really no more secure than an SSH connection. However, since they're built in to most browsers, SSL connections are inherently easier to set up than SSH connections.

Kerberos

Kerberos is a protocol originally invented at MIT, and in other MC Mag Online articles, Carol Woodbury has done an excellent job of explaining how Kerberos works and how to plan for single sign-on (look for more from Carol about single sign-on next week). Kerberos is fast becoming a de facto industry standard for single sign-on; SSH and SSL don't have the ability to provide the single sign-on capabilities of Kerberos.

Kerberos has many interesting features, but one of the most important is the fact that it requires its own certification machine called a Key Distribution Center (KDC). This replaces the public key infrastructure of the X.509 certificates. On the plus side, it means you don't have to rely on (and pay) a company like Verisign for your security. On the minus side, it means your network is very reliant upon the machine that houses the KDC. If that machine goes down, no service that relies on Kerberos authentication will work.

Even more important in my opinion is the fact that access to my iSeries is now controlled not by the iSeries but by another machine, the KDC. In the brave new world of single sign-on, I need only sign on to my workstation to gain full access to all of my resources in the network, including my user profile on the iSeries. Thus, if someone breaks the password protection of my desktop (or simply walks over to my machine while I'm logged in), he now can get into my iSeries data as well. And if someone manages to get into my KDC, then he literally has the keys to the kingdom. That seems like an awful lot of power to be consolidated in a single point.

Interestingly, with Kerberos V5, the concept of pre-authentication comes into play. Pre-authentication is how the client and server recognize one another. Currently, this uses a public key and a timestamp (the client has a short period of time, usually five minutes, to determine the appropriate response). While this seems reasonable, there's nothing stopping a hacker from sniffing that conversation and then applying brute force to the intercepted key. It make take longer than five minutes, but that's OK. The cracker can just save the passphrase for the next time. Kerberos V5 also supports a "pluggable" authentication module, which means that stricter methods of authentication can be employed, but that seems to be rather rare at this time.

Excellent! Now I Know Everything! Right?

Unfortunately, even if this little article brought some light into the darkened corners of security, it's hardly even a scratch. You may come across dozens of other protocols as you do your own research. Here are some terms:

NTLM

NT LAN Manager authentication (an old Microsoft standard) doesn't even provide encrypted sessions, but it's better than nothing.

SRP and SPEKE

As it turns out, Kerberos isn't really a strong protocol. Those who claim to know these things say Kerberos V4 is a "weak" protocol, and Kerberos V5, while stronger, only ranks as a "pseudo-strong" method. In either case, someone with a little access they shouldn't have and some brute force processing power could conceivably break your keys and emulate you.

Protocols exist that are mathematically proven to be a lot stronger. Well, I shouldn't say that. I should say that I can't see any fault in the mathematical proofs, but IANAM (I am not a mathematician). The protocols in question are derived from theorems having to do with something called Zero Knowledge Protocols (ZKPs). Secure Remote Password (SRP) was developed at Stanford in the late 90s. However, it seems to not have gained much popular acceptance. Another version, Simple Password-authenticated Exponential Key Exchange (SPEKE), has commercial life at Phoenix Technologies.

SPEKE allows you to have very secure sessions with simple passwords, avoiding nearly all the problems of the other protocols. Simple passwords are important because so-called "strong" passwords (such as r#hhsj!633f) are difficult to remember and thus are subject to the "Post-it security hole"; users tend to write the password on a Post-it or some other scrap of paper and then stick it somewhere very near their terminal. This simple human engineering problem can defeat the strongest of security protocols.

So Kerberos Is the Winner?

Whether Kerberos is the winner depends on your definition of the word "winner." The biggest strength of Kerberos (single sign-on) also contains its largest potential for abuse. This use of Kerberos blurs the distinction between authentication and authorization, two very different issues, and in my mind has a potential for disastrous results.

Authentication and Authorization

Authentication simply means that you are who you say you are. No more, no less. So it allows me to log on to my Windows machine. Now, let's say someone manages to get my Windows password. No problem, they can only sign on to the LAN; they'll still need an OS/400 user profile and password to get at anything on the iSeries.

However, with single sign-on, that one password also provides authorization. It in fact opens the doors to everything that I am authorized to according to the Kerberos server. And while this may seem to be a semantic distinction, it becomes more problematic when one realizes that the Kerberos technology can be compromised.

Avoiding Problems

You can easily avoid some of the more serious problems that could occur from this weakness. For example, never provide a single sign-on capability for security profiles such as QSECOFR. In fact, I would highly recommend never allowing the KDC to authenticate any user profile having *ALLOBJ or similar wide-ranging rights.

Incomplete Support

Another issue is the fact that not everybody supports Kerberos right now. I don't have up-to-date information on everything, but as far as I am able to discern, not all JDBC or ODBC drivers support Kerberos. Thus, you may well be able to bypass the logon, but then you'll need some other way to access the database, and now you're back to the traditional design problems of either storing passwords in your application or accessing the database through a different user profile. This nullifies the benefits of the single sign-on.

Not only that, but if your applications are designed to use Kerberos, then all users will require Kerberos identities, and that's probably not realistic for true Internet applications. It's probably not even a good idea for extranet applications that go to vendors and clients.

Use the Right Tool for the Right Job

It's clear that Kerberos is not right for everything. We've been arguing the "right tool for the right job" issue on the mailing lists lately for everything from SQL vs. native I/O to Java vs. RPG. In this case, it means using the security mechanism that is appropriate for the job at hand. Kerberos and single sign-on make sense for intranet applications and perhaps even for Web access to company applications by mobile users. But for general Web access required by extranet and Internet applications, it's more appropriate to use the standard SSL techniques and the public key infrastructure that's already in place. Finally, for mission-critical connections between two machines for administrative tasks like remote backup and problem diagnosis, it makes more sense to use SSH because that protocol does not rely on a third machine. If the problem is that your machine can't communicate to the KDC and at the same time you can't sign on without the KDC, then you're going to have a hard time fixing the problem.

So Back to the Original Issue

My most nagging objection to Kerberos and single sign-on is that access to my iSeries is no longer handled by my iSeries. The KDC has carte blanche to provide access to any machine that's been turned over to it, and since users are always demanding more convenience, it's inevitable that all of my production machines will be turned over.

Thus, in order to allow a user to log on once and access my entire network, I have to turn over access to my most sensitive data to a security mechanism that is ultimately hackable. As I explained a little earlier, the time-based pre-authentication method employed by Kerberos V5 is vulnerable to brute force attacks by a determined hacker. However, Kerberos V5 looks like it can be extended to take advantage of some of the more secure handshake technologies.

So there are two conclusions to be drawn. First, the old adage of the right tool for the right job holds very strongly here. Your overall security environment may be an amalgam of two or three different security approaches for different classes of users. Second, Kerberos may provide some convenience for your end users, but the price for such convenience is extra vigilance, starting with determining which user profiles are really candidates for single sign-on.

Joe Pluta is the founder and chief architect of Pluta Brothers Design, Inc. He has been working in the field since the late 1970s and has made a career of extending the IBM midrange, starting back in the days of the IBM System/3. Joe has used WebSphere extensively, especially as the base for PSC/400, the only product that can move your legacy systems to the Web using simple green-screen commands. Joe is also the author of E-Deployment: The Fastest Path to the Web and Eclipse: Step by Step, with WDSc: Step by Step coming out this September. You can reach him at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: