On August 6, 2001, the Center for Academic Computing (CAC) will turn off telnet service to all interactive CAC UNIX systems. This action will begin a year-long process to eliminate all "clear text" passwords on our networks (See "Privacy Expert Advises Colleges to Bar 2 Popular Internet Tools", June 27, 2000, The Chronicle of Higher Education, http://chronicle.com/free/2000/06/2000062701t.htm). Clear text passwords are defined as passwords which go between client computer and server computer without any encryption over the network. The problem with such passwords is that malicious programmers (hereafter crackers) on the Internet have devised ways to eavesdrop on some networks and intercept these passwords. The trusting nature of early network computing make these attacks possible today.
As more services come to rely on the Penn State Access Account userid and password for authentication (who you are) and authorization (what you can do after it is known who you are), it becomes increasingly important for you to safeguard them. It is also imperative that Computer and Information Systems (C&IS) and other campus IT organizations provide the means and tools for you to safeguard them. Armed with your Penn State Access Account userid and password, a cracker could effectively impersonate you, gaining access to those pieces of information which your Access Account userid specifically authorizes only you to have. In addition to telnet, File Transfer Protocol (FTP), e-mail pick-up, also known as the Post Office Protocol (POP), and USENET are sources of clear text passwords.
Fortunately, there are several ways for us to help you protect your Penn State Access Account userid and password. Implementing these measures requires us to discontinue some services which by their nature can not be fixed and add some replacement services (e.g. Kerberized telnet or encrypted POP) which have been designed to be more secure. There are many procedures which will make you less vulnerable to network sniffing, but most employ one of two methods, Kerberos or session data encryption (though some employ a combination of the two).
As a bit of a background, data encryption or cryptography is the process of transforming a message (called plain text) into another message (called ciphertext) using a mathematical formula and a special password called a key [Garfinkle and Spafford]. The reverse process is called decryption. The simplest password mechanisms take your password, encrypt it with a known mathematical formula or cipher, and compare that encrypted set of characters to one that the server has in a file or database. The userid tells the server what set of characters to retrieve and then compares it against what you have presented. Designers of these services have to make a decision: does one encrypt the password before it is sent to the server or let the server do both the encryption and the match? In the past, many services have chosen the latter, which means that in the networked world, the password travels across the network "in the clear" to the server. It is at this point that a userid/password pair is vulnerable to network eavesdropping.
The Kerberos system was developed at the Massachusetts Institute of Technology to solve the "password in the clear" problem and optionally encrypt the entire message or session. The Penn State Access Account userid is in fact a Kerberos version 5 (K5) userid. Kerberos uses the concept of network services rather than network servers because a server can provide more than one service. Examples of services are file service, e-mail service, login service, and print service. In the Kerberos system, a user proves his identity to the Kerberos server granting him a ticket granting ticket (TGT). The user then uses the TGT to get service tickets. It may be useful to think of tickets as a key which grants you the right to use that service just as a theater ticket provides access to a particular show but not any other shows. Using the theater ticket analogy, the ticket granting ticket could be a limited season pass which would allow the theater patron to obtain tickets to any show during the season. In this scenario, the theater patron still needs to obtain the correct ticket for the correct show.
Kerberos solves the "password in the clear" problem in that a user passes his userid to the Kerberos server which has an encrypted database of passwords. If that userid is valid for that Kerberos "realm," the Kerberos server returns a message (the encrypted TGT) back to the user's machine, encrypted with that userid's password as the key. On the client machine, the message can be decrypted only if the password is correct. Once this message is decrypted, the user on the client machine has a TGT and a session key, valid for the length of a session, to encrypt other communications and requests for services. Modifying a program to use Kerberos rather than clear text passwords is called "Kerberizing" a program. "Kerberized" versions of telnet, POP, rlogin, and FTP can be used to replace non-secure versions of the same clients and servers. While this all sounds wonderful, Kerberos has its down side. To do the required decryption on the client machine, programs on the client machine must be modified (which is why so many services send passwords in the clear). The Fall 2001 CACPAC CD-ROM will include some "Kerberized" client programs with instructions on how to install them. In particular, Eudora has the ability to do Kerberized POP or KPOP. The CACPAC CD-ROM will provide instructions on how to set-up Eudora for KPOP.
The second major tool for preventing passwords in the clear is session encryption. Anyone who has visited and used a secure Web site using HTTPs (the secure Hypertext Transfer Protocol) to buy something or give confidential information on-line has already used session encryption. Web site session encryption uses the Secure Socket Layer (SSL) to encrypt all of the information between the Web server and Web browser. As information such as your password or credit card number is entered into a Web form, the browser encrypts this information before sending it to the server where it is decrypted. Likewise, when the server returns information to your browser, this information is first encrypted on the server and decrypted on the browser. By using session encryption via SSL, all of your information, not just your password, is safe as it transits the network path between your browser and the server.
Because of the success of SSL encryption for the Web, the use of SSL has migrated to other services. The Netscape mail client can use SSL connections to encrypt transfer of e-mail from a mail server to the Netscape client. The SSL mail tunnel in this case serves the same function as KPOP does with Eudora, proving once again that on the Internet, there is often more than one way to solve the same problem.
This finally leads us back to telnet and the CAC's decision to eliminate telnet sessions. In order to turn this off protocol, we need to provide you with a method for remotely connecting to CAC UNIX resources. The solution in this case is a tool called SSH, the secure shell. The SSH System employs session encryption to prevent not only network eavesdropping on the userid/password exchange, but end-to-end encryption of the entire session between the user and UNIX resource. Like Web browsers, there is more than one client that implements the SSH system. The CACPAC will include links to information for two of them, Teraterm SSH and SSH.com's SSH. We have secured the rights to redistribute both clients from the respective software development companies. Because each includes very strong encryption which is protected by United States export laws, we can not put them directly on the CACPAC CD-ROM, but rather we need to direct you to a Web site (https://www.work.psu.edu/access/teraterm/ for Teraterm SSH and https://www.work.psu.edu/access/ssh/ for SSH.com's ssh) so you can answer some preliminary questions which satisfy this export law. After August 6, Windows and Macintosh users with accounts for CAC UNIX resources will need to obtain an SSH client to continue to connect remotely. Most Linux users will find that their distributions already come with the "ssh" login client. We currently support only the SSH version 1 client with Penn State Access Account userid accounts. In the near future, we plan to support both. To find out more about using the SSH system to connect to the CAC UNIX Cluster, please see our on-line documentation at http://cac.psu.edu/internet/ssh/.
We anticipate that the fall newsletter will include a similar article about the elimination of the File Transfer Protocol (FTP). We will have similar on-line resources for tools and procedures to replace cleartext FTP clients.
If this article has peaked your interest in the area of computer security, please consider the following resources.
This book is excellent and may cause you to reexamine what you thought you knew about privacy, computer operating systems, and government processes: Secrets and Lies : Digital Security in a Networked World, 2000, Bruce Schneier, John Wiley & Sons; ISBN: 0471253111.
A good introduction to computer security which is a bit dated can be found in: Computer Security Basics, 1991, Deborah Russell, G. T. Gangemi, O'Reilly & Associates; ISBN: 0937175714.
Information Technology Professionals should consider this tome a must have: Practical Unix and Internet Security, 2nd edition, 1996, Simson Garfinkel, Gene Spafford, O'Reilly & Associates; ISBN: 1565921488.
An excellent recent book which includes both a history of cryptography and plain English explanations of the workings of cryptography in ways that non-mathematicians can easily understand is: The Code Book : The Science of Secrecy from Ancient Egypt to Quantum Cryptography, 2000, Simon Singh, Vintage Anchor Publishing; ISBN: 0385495323.
June 27, 2001