Method for use of Kerberos for User Authentication by Objects in 3D Internet/ Virtual World (03-Sep-2008)

Method for use of Kerberos for User Authentication by Objects in 3D Internet/ Virtual World

In virtual world there are many privately held business islands where typically a non island owner cannot create or install objects. A good example of such type of island will be a virtual shopping mall. There are many business needs where vendors want to install their proprietary objects on other's virtual business islands for mutual benefits. One of the biggest challenge in such kind of setup is for the object (placed in public islands or others islands) to authenticate the end users in order to allow user to use its service. One of the popular mechanism that can be used for network based authentication is Kerberos. But there are following challenges for making virtual objects use Kerberos for Authentication of end users.

1. Configuring the virtual object with Kerberos client configuration is a major problem.
2. In order to make the virtual objects ( virtual ATM) act like a client to a Kerberos realm, there is a need for enhancement to these objects.
3. The Kerberos product's client module need to be enhanced to suit to the virtual world environment.

Disclosed below is the method which addresses all the above issues to help kerberize virtual objects to authenticate the end user using Kerberos protocol:
Step 1: Have the enhanced Kerberos client component/libraries be linked to the client browser/component of the virtual world.

Step 2: Have the following modification to objects exporting services which needs to conduct Kerberos authentication before availing its services. This step can be referred as Kerberizing the Object. i) Have a new tab called 'Security' inside the profile of an object/island. Inside this new tab, have a new field called 'Authentication Type' , which has 'Kerberos' as one of its value option. When the owner of the object/island select 'Kerberos' as the authentication type for that object, provide a text box which allows the owner to enter the 'Kerberos Client Configuration Data'. User will enter the entire Kerberos client

configuration information in this text box ( as the user does it in /etc/krb5/krb5.conf file in real world , on UNIX** machines using IBM*** NAS or MIT Kerberos). Save this information in the objects. ii) Associate an IP address for every object/island that needs to exercise Kerberos. Hence, the profile of an object/island will have a new tab called
'Network' which will have a field called 'IP Address' and the owner will enter a static IP address to the object/island. iii) On successful login the object will store the users Kerberos ticket (credentials) in a new temporary secure space ( associated with the object). iv) The object will be associated with an 'Log-off' action which when executed will clear the users credentia...