This blog is an attempt to capture the key points related to different security authentication mechanisms, focusing more on Kerberos.
Different Authentication Mechanism
Basic authentication
- base64 ENCODING
- encoded but not ENCRYPTED , Not a secure authentication protocol.
- Secure transport mechanism (HTTPS) is applied in most deployment scenarios.
- encoded but not ENCRYPTED , Not a secure authentication protocol.
- Secure transport mechanism (HTTPS) is applied in most deployment scenarios.
Form based authentication
- has the same lack of security as
Basic Authentication
- User credentials is transmitted as plain text and the target server is not authenticated
- https or security at the network level is applied in deployment scenarios.
- User credentials is transmitted as plain text and the target server is not authenticated
- https or security at the network level is applied in deployment scenarios.
Authentication using OASIS WSS – (Web Service Security)
- Incorporates user credentials as part of SOAP Header
- wss4j also implements: X.509 Certificate Token Profile 1.1
Authentication using SSL / X-509
- Uses Symmetric Encryption and Asymmetric Encryption.
- X-509 Certificate can be provided as part of SOAP Header. This certificate can be obtained from a certification authority (CA).
Authentication using Spnego (Negotiation Protocol)
SPNEGO
- Used when a client application
wants to authenticate to a remote server, but neither end is sure what
authentication protocols the other supports.
- Negotiable sub-mechanisms includes NTLM and Kerberos.
- Negotiable sub-mechanisms includes NTLM and Kerberos.
NTLM
- Server generates an NTLM challenge for the client, the client calculates an NTLM response, and the server validates that response.
- The
NTLM
challenge-response mechanism only provides client authentication.
- Using NTLM, users might provide their credentials to a bogus server.
- RC4 for encryption. Recent cryptographic methods, such as AES or SHA-256 not supported.
- Using NTLM, users might provide their credentials to a bogus server.
- RC4 for encryption. Recent cryptographic methods, such as AES or SHA-256 not supported.
Kerberos :
- Active Directory based Single sign on Scheme developed by MIT.
- Authenticates the user against Kerberos Key Distribution Centre (KDC).
- Microsoft adopted Kerberos as the preferred authentication protocol over NTLM.
- Kerberos builds on symmetric key Cryptography
Kerberos advantage :
- Provides mutual authentication - both the server and the client verify each other's identity.
- Eliminates the transmission of unencrypted passwords across the network
 |
| Kerberos KDC Communication |
KDC Communication (Step 4) :
- KDC validates user principal
- Response is encrypted by a user key created by KDC based on user's password.
- Kerberos Ticket(TGT) is encrypted by a secret Key which only KDC knows.
Spring Security Extension-Kerberos :
-
An Extension project contributed by Mike Wiener
- Integrated well with Spring Security
- Supports authentication with Web, but not extended for Web Services.
- Integrated well with Spring Security
- Supports authentication with Web, but not extended for Web Services.
