Kerberos (protocol) Guide, Meaning , Facts, Information and Description

Kerberos is a computer network authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner. Kerberos prevents eavesdropping or replay attacks, and ensures the integrity of the data. It is designed primarily for a client-server model, and provides mutual authentication — both the user and the service are assured of each other's identity.

Kerberos is based on symmetric key cryptography and a requires a trusted third party.

Table of contents

1 History and development 2 Description 3 The protocol 4 See also 5 External links 6 References

History and development

Kerberos was developed at the Massachusetts Institute of Technology (MIT) to protect network services provided by Project Athena. There are several versions of the protocol; versions 1–3 were only used internally at MIT. Versions Kerberos version 4 was published in the late 1980s, although it was targeted primarily for Project Athena. Version 5, published as RFC 1510 in 1993, was designed to overcome limitations and security problems of version 4. Version 4 of Kerberos was designed primarily by Steve Miller and Clifford Neuman. Version 5 was designed by John Kohl and Clifford Neuman. An implementation of Kerberos is freely available from MIT, under copyright permissions similar to those used for BSD.

For some time, Kerberos was classed as a munition within the United States, and could not be exported because it used the DES encryption algorithm (with 56-bit keys). A non-US implementation was developed in Sweden which made the system available outside the US before the US export regulations were changed (by 2000 — more or less).

Kerberos is the default authentication method for Windows 2000 and Windows XP.

There is an RFC for Kerberos 5: RFC 1510. The IETF Kerberos workgroup is currently (as of 2004) standardizing an updated version [1].

Description

Kerberos is based on the Needham-Schroeder protocol. Kerberos makes use of a trusted third party, termed a Key Distribution Center (KDC), which consists of two logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of "tickets" which are used to prove the identity of users.

Kerberos maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and Kerberos. Knowledge of this key can be used to prove its identity. For communication between two entities, Kerberos generates a session key which can be used to secure their interactions.

The protocol

The protocol can be specified as follows in security protocol notation, where Alice (A) is authenticating herself to Bob (B) using a server S:

We see here that the security of the protocol relies heavily on timestamps being reliable indicators of the freshness of a communication (see the BAN logic).

See also

• Single sign-on
• Identity management

External links

• Kerberos page at MIT
• "The Moron's Guide to Kerberos"
• The Kerberos FAQ

References

• B. Clifford Neuman and Theodore Ts'o, Kerberos: An Authentication Service for Computer Networks, IEEE Communications, 32(9) pp33–38. September 1994. [1]
• John T. Kohl, B. Clifford Neuman, and Theodore Y. T'so, The Evolution of the Kerberos Authentication System. Distributed Open Systems, pp78–94. IEEE Computer Society Press, 1994. [2] (Postscript format)

This is an Article on Kerberos (protocol). Page Contains Information, Facts Details or Explanation Guide About Kerberos (protocol)

	Web www.E-paranoids.com