14.5 Other Network Authentication Systems

There are a variety of other systems for providing authentication and encryption services over an unprotected network that are less widely used than those discussed in previous sections. We'll provide only brief summaries of DCE and SESAME here.

14.5.1 DCE

DCE is the Distributed Computing Environment distributed by the Open Group. DCE is an integrated computing environment that provides many services, including user authentication, remote procedure calls, distributed file sharing, and configuration management. DCE's authentication is very similar to Kerberos, and its file sharing is very similar to the Andrew File System.

DCE's security is based on a Security Server. The Security Server maintains an access control list for various operations and decides whether clients have the right to request operations.

DCE clients communicate with DCE servers using DCE Authenticated RPC. To use Authenticated RPC, each DCE principal (user or service) must have a secret key that is known only to itself and the Security Server.

A complete description of DCE can be found at http://www.opengroup.org/dce/. The version available appears to have last been updated several years ago.

14.5.2 SESAME

SESAME is the Secure European System for Applications in a Multivendor Environment. It is a single sign-on authentication system similar to Kerberos.

SESAME incorporates many features of Kerberos 5, but adds heterogeneity, access control features, scalability of public key systems, improved manageability, and an audit system.

The primary difference between SESAME and Kerberos is that SESAME uses public key cryptography, allowing it to avoid some of the operational difficulties that Kerberos experiences. SESAME was funded in part by the Commission of the European Union's RACE program. It appears to still be actively maintained, and there are versions available for RedHat Linux.

Information about SESAME can be found at http://www.cosic.esat.kuleuven.ac.be/sesame/.

    Part VI: Appendixes