Port 56: XNS Authentication — The Ancestor of Kerberos

Port 56 is assigned to XNS Authentication (xns-auth), a protocol from the Xerox Network Systems suite developed at Xerox PARC in the late 1970s and early 1980s. The port is registered with IANA for both TCP and UDP¹, with Susie Armstrong listed as the contact. The protocol is long obsolete, but what it carried shaped the future of network security.

What XNS Authentication Did

XNS Authentication provided identity verification for devices and users within Xerox's proprietary network environment. The protocol had one rule that was ahead of its time: no passwords were ever transmitted on the network².

Instead, XNS Authentication used a challenge-response mechanism. When a client needed to prove its identity, it contacted an authentication service, received credentials, and then used those credentials to sign subsequent communications. Receivers could verify the signature without contacting the authentication service again for the length of the session.

The "Strong credentials" mode was based on the Needham-Schroeder symmetric key protocol³, published in 1978 by Roger Needham and Michael Schroeder, both at Xerox PARC. This protocol solved a fundamental problem: how do two parties on a network establish a shared secret key through an untrusted channel, using a trusted third party?

The Line from Port 56 to Kerberos

Here is the part that matters.

In 1988, MIT's Project Athena needed to protect network services across a campus. Steve Miller and Clifford Neuman built Kerberos, and they built it directly on the Needham-Schroeder protocol⁴, the same protocol that powered XNS Authentication on port 56.

Kerberos made two key changes. First, it used timestamps instead of extra message rounds to prevent replay attacks, reducing network chatter. Second, it introduced the Ticket Granting Ticket, allowing users to authenticate once and access multiple services without re-entering their password.

Today, Kerberos is the default authentication protocol for Windows Active Directory, used by hundreds of millions of machines. Every corporate login, every domain-joined workstation, every single sign-on session in a Windows environment traces its lineage back through Kerberos, through Needham-Schroeder, through the work done at Xerox PARC that ran on port 56.

The XNS Family of Ports

Port 56 was not alone. It belonged to a cluster of Xerox Network Systems ports, all assigned by Susie Armstrong¹:

These four ports represented a complete networked office system: time synchronization, directory services, authentication, and mail. Xerox PARC was building the future of networked computing in the late 1970s, and these port assignments are the fossils.

The Broader XNS Legacy

XNS itself was built on the even earlier PARC Universal Packet (PUP) protocol, designed by David Boggs, John Shoch, Edward Taft, and Robert Metcalfe around 1974⁵. Xerox placed the XNS specifications in the public domain in 1977, and the ideas spread everywhere.

3Com, founded by former PARC engineers, used XNS directly. Novell based its IPX/SPX protocols on XNS's design. The Routing Information Protocol (RIP), one of the earliest TCP/IP routing protocols, was inspired by the XNS routing protocol⁶. XNS became the canonical local area networking protocol of the 1980s.

There is an anecdote from the design meetings for TCP/IP: Vint Cerf and Bob Kahn had invited Xerox engineers to contribute. A Xerox lawyer told them they could not discuss PUP. So the Xerox attendees sat quietly, pointing out flaws in proposed ideas, until one Stanford researcher blurted out, "You guys have already done this, haven't you?"⁶

They had.

Current Status

Port 56 is not used in any modern production environment. XNS Authentication was designed for SPP (Sequenced Packet Protocol), the XNS transport layer, not TCP/IP. The IANA assignment for TCP and UDP exists as a historical artifact.

No modern software listens on port 56 by default. If you find something running on this port, it is not XNS Authentication. It is something custom, something unexpected, and worth investigating.

How to Check What Is Listening on Port 56

# Linux
sudo ss -tlnp | grep :56
sudo netstat -tlnp | grep :56

# macOS
sudo lsof -i :56

# Windows
netstat -ano | findstr :56

Security Considerations

Because port 56 has no modern service assigned to it, any traffic on this port is anomalous. In security monitoring, unexpected listeners on well-known ports with no active service are worth flagging. They may indicate unauthorized software, backdoors, or misconfigured applications.

The well-known port range (0 to 1023) requires elevated privileges to bind on Unix-like systems, which provides a small layer of protection against unprivileged processes opening listeners on port 56.