Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.2  Authentication

Previous Topic/Section
1.2  Authentication
Previous Page
Pages in Current Topic/Section
1
2
Next Page
1.2.2  Challenge Handshake Authentication Protocol (CHAP)
Next Topic/Section

1.2.1  Kerberos
(Page 1 of 2)

Kerberos51 (defined in RFC 151052) is an authentication mechanism often used on larger networks, particularly those on which contain UNIX machines. The idea behind Kerberos is to provide authentication and authorization services in an environment where authentication requests originate from machines that are not trustworthy, and travel across a network that is not trustworthy. Kerberos was designed to provide authentication that is secure over a network whose traffic might be intercepted at any time, reliable, transparent to the user (for example, it shouldn’t get in someone’s way by repeatedly requesting a user’s password) and scalable for use in environments with many hosts. An interesting explanation in the form of a narrative play can be found in this footnote53.

It was developed in the mid-1980s by MIT as part of its Project Athena, and a free implementation of the latest version of the protocol is available from MIT, pleasing those who don’t want to trust any cryptosystem without inspecting the program’s source code. Later versions of Windows NT (Windows 2000 and beyond) use an authentication mechanism based on Kerberos, so you’re probably using it, even if you’re not aware of it54. For more of the nitty-gritty technical details of the Microsoft Windows 2000 Kerberos implementation, see Secure Networking with Windows 2000 and Trust Services55 by Feghhi and Feghhi. To learn more about interoperability between the MIT Kerberos implementation and Windows 2000, check out a list of tips compiled from the experiences of various US universities, as noted in the footnote56.

Similar to Windows, the architecture of Kerberos allows for multiple administrative domains, so that different organizations and organizational units can control their own user accounts. In the Kerberos world, these administrative domains are called “realms.” As in the Windows world, it is possible for users to authenticate in one realm and then use services in another, if that remote realm trusts the original realm in which the user authenticated.

Kerberos

Kerberos uses symmetric encryption, with secret keys, but does not send the user’s password across the network, in encrypted or unencrypted form. Instead, the key is used to encrypt information exchanged between the client and server.



 __________________

51. http://www.faqs.org/faqs/kerberos-faq/user/

52. http://www.ietf.org/rfc/rfc1510.txt

53. http://web.mit.edu/kerberos/www/dialogue.html#personae

54. Todd, Chad and Norris L. Johnson, Hack Proofing Windows 2000 Server, Syngress, November, 2001, http://www.nerdbooks.com/item.html?id=1931836493

55. Feghhi, Jalal and Jalil Feghhi, Secure Networking with Windows 2000 and Trust Services, Addison-Wesley, February, 2001, http://www.nerdbooks.com/item.html?id=0201657783

56. “Windows 2000-MIT Kerberos Interop Trip-ups Draft,” http://ldap-project.berkeley.edu/calnet-ad/ad-test/kerb_interop_trip-ups.html

Previous Topic/Section
1.2  Authentication
Previous Page
Pages in Current Topic/Section
1
2
Next Page
1.2.2  Challenge Handshake Authentication Protocol (CHAP)
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.