Manualshelf

Kerberos White Paper

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
12345678910
demonstrating possession of secret information. In this manner, Kerberos solves traditional problems
involved with authentication.
Historical Evolution of Kerberos
The name Kerberos comes from Greek mythology; Cerberos was the three-headed dog that guarded
the entrance to Hades. Kerberos is a network authentication protocol developed by MIT
(Massachusetts Institute of Technology) as part of Project Athena, which started in 1983 when MIT
decided to integrate network computers as part of its campus curriculum. The goals of Athena were
the integration of a SSO (Single Sign-on), networked file systems, a unified graphical environment,
and a naming convention service.
Kerberos has since evolved into a strategic security standard that provides secure authentication
services to users, applications, and network devices, which eliminates the threats caused by
passwords being stored or transmitted across the network. Additionally, Kerberos provides data
integrity to ensure messages are not tampered with on the network and message privacy (encryption)
to ensure messages are not visible to eavesdroppers on the network.
The Kerberos model is partly based on Needham and Schroeder's trusted third-party authentication
protocol. Versions one through three never reached outside MIT, but version 4 was (and still is) quite
popular, especially in the academic community. It is also used in commercial products like the AFS
filesystem.
Why Kerberos?
The problem statement discussed the problems associated with traditional authentication methods and,
in particular, how passwords are vulnerable because they travel unencrypted over the network.
Password-based authentication is also inconvenient; users do not want to enter a password each time
they access a network service.
Kerberos is designed to eliminate the need for users to demonstrate possession of private or secret
information (the password). Instead, Kerberos disseminates this information. Kerberos Server lets
entities authenticate themselves, without transmitting their passwords in clear text over the network.
Commonly used to secure particularly vulnerable network communications like ftp, telnet, and other
widely used Internet protocols that normally transmit user IDs and passwords in clear text, Kerberos
provides the "plumbing" for common authentication services. Its scalability means that Kerberos is
ideal for large networks such as those used by governments, telecommunication networks, and major
financial institutions.
Kerberos Basics
Kerberos uses secret-key cryptography, which lets entities communicating over networks prove their
identity to each other while preventing eavesdropping or replay attacks. It also provides data stream
integrity (detection of modification) and secrecy (preventing unauthorized reading) using Data
Encryption Standards such as DES, 3DES, and AES.
Kerberos is based on the concept of a trusted third party that performs secure verification of users and
services. In the Kerberos protocol, this trusted third party is called the key distribution center (KDC).
Kerberos is used to verify that users and the network services they use are really who and what they
claim to be. To accomplish this, a trusted Kerberos Server issues tickets to users. These tickets, which
have a limited lifespan, are stored in a user's credential cache and can be used in place of the
standard username-and-password authentication mechanism. The ticket can then be embedded in
virtually any other network protocol, thereby letting the processes implementing that protocol to be
sure about the identity of the principals involved.