(Page 1 of 2)
Kerberos51 (defined in RFC 151052) is an authentication mechanism often used on larger networks, particularly those on which contain UNIX machines. The idea behind Kerberos is to provide authentication and authorization services in an environment where authentication requests originate from machines that are not trustworthy, and travel across a network that is not trustworthy. Kerberos was designed to provide authentication that is secure over a network whose traffic might be intercepted at any time, reliable, transparent to the user (for example, it shouldnt get in someones way by repeatedly requesting a users password) and scalable for use in environments with many hosts. An interesting explanation in the form of a narrative play can be found in this footnote53.
It was developed in the mid-1980s by MIT as part of its Project Athena, and a free implementation of the latest version of the protocol is available from MIT, pleasing those who dont want to trust any cryptosystem without inspecting the programs source code. Later versions of Windows NT (Windows 2000 and beyond) use an authentication mechanism based on Kerberos, so youre probably using it, even if youre not aware of it54. For more of the nitty-gritty technical details of the Microsoft Windows 2000 Kerberos implementation, see Secure Networking with Windows 2000 and Trust Services55 by Feghhi and Feghhi. To learn more about interoperability between the MIT Kerberos implementation and Windows 2000, check out a list of tips compiled from the experiences of various US universities, as noted in the footnote56.
Similar to Windows, the architecture of Kerberos allows for multiple administrative domains, so that different organizations and organizational units can control their own user accounts. In the Kerberos world, these administrative domains are called realms. As in the Windows world, it is possible for users to authenticate in one realm and then use services in another, if that remote realm trusts the original realm in which the user authenticated.
54. Todd, Chad and Norris L. Johnson, Hack Proofing Windows 2000 Server, Syngress, November, 2001, http://www.nerdbooks.com/item.html?id=1931836493
55. Feghhi, Jalal and Jalil Feghhi, Secure Networking with Windows 2000 and Trust Services, Addison-Wesley, February, 2001, http://www.nerdbooks.com/item.html?id=0201657783
56. Windows 2000-MIT Kerberos Interop Trip-ups Draft, http://ldap-project.berkeley.edu/calnet-ad/ad-test/kerb_interop_trip-ups.html
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.