Kerberos

What is Kerberos (a quick description)?

Originally developed at MIT, Kerberos is an authentication service.  An authentication service is merely a way of assuring that a user is who they claim to be.  Kerberos accomplishes this by using a ticket system, which will be described later.  Kerberos also provides encryption for its services, in hopes of allowing the authentication process to be less vulnerable to attacks over a network.  The default cryptography algorithm for Kerberos V4 is DES (Data Encryption Standard), which has been shown to be crackable.  Although the standard still requires DES to be available in Kerberos, it will soon require the use or triple-DES (168 bit).  Kerberos V5 is more modular and allows you to switch algorithms easier than V4.  Cryptography is considered a munition by the US government and is therefore not allowed to be exported.  The overseas versions of Kerberos, exported without the cryptology algorithm, is referred to as bone or e-bones.  Kerberos is a standard within the Internet Engineering Task Force.  

How Kerberos works:

If a user intends to access a ftp service on a Kerberos enabled machine, he must first initialize himself with the KDC.  Upon initialization, the user is granted a ticket granting ticket (TGT). The ftp service must also initialize itself with the KDC.  Once the user and the ftp service have been issued TGT's, the user can proceed with an attempt to access the ftp service.

The next step requires the user to inform the KDC that he wants to access the ftp service on a certain machine.  The KDC then creates two copies a session key.  This key will only be used by the user and the ftp service for direct communication between one another.  Both copies of the session key are sent to the user.  However, one key is encrypted from the user's TGT, the other is encrypted from the ftp services' TGT.  When the user receives both copies of the session key, he is only able to decrypt the copy encrypted form his own TGT.  The user then encrypts a timestamp from his local machine using the session key granted by the KDC.  This encrypted timestamp and the second copy of the encrypted session key are then sent by the user to the ftp service.  

The ftp service first decrypts the second copy of the session key using its TGT.  It then uses the session key to decrypt the users timestamp.  If the timestamp is within a given window, the ftp service continues the session with the user.  The session can be encrypted using the session key.  If the timestamp falls outside of the allotted window, the ftp service kills the session.

The Kerberos Pages (the really important ones)

• Kerberos: The Network Authentication Protocol -- This is the MIT webpage for Kerberos

• The Moron's Guide to Kerberos, Version 1.2.2 -- This is one of the most referenced web sites on Kerberos, the author of this web site, Brian Tung, also wrote the Kerberos book.  Kerberos: A Network Authentication System

• RFC 1510 from the Internet Engineering Task Force -- The Kerberos Network Authentication Service (V5)

• The Kerberos Network Authentication Service -- The Information Sciences Institute at USC

• Kerberos: An Authentication Service for Computer Networks -- IEEE Communications Magazine, 1994

• Kerberos Papers and Documentation Page at MIT

• How to Kerberize Your Site -- Oak Ridge National Laboratory

• Kerberos V5 UNIX User's Guide

• NCSA Kerberos Information

General Kerberos Pages

• Release Announcement for Kerberos 5 Release 1.1.1

• Kerberos Reference Page

• Kerberos References

• Kerberos Mailing Lists

• Kerberos Information and Help

• Kerberos man page

• Kerberos Tutorial

• Whatis.com's Definition of Kerberos

• Webopedia's Definition of Kerberos

• Kerberos Definition from the Distributed Computing Analysis and Support page at UC-Davis

• RSA Laboratories Definition of Kerberos

• What Is Kerberos from Indiana University Knowledge Base

• Naval Research Laboratory Kerberos FAQ

• Kerberos at Sunsite

• Kerberos

• Kerberos in the FreeBSD Handbook

• An e-bones site

• Kerberos Subprotocols

Kerberos Articles

• Kerberos/DCE, the Secure Shell, and Practical Internet Security by Wayne Schroeder, San Diego SuperComputer Center

• Kerberos: A Secure Passport -- UnixReview.com

• How the Kerberos Protocol Works -- Byte

• Security Through Obscurity -- Wide Open News

Microsoft's Kerberos Pages (Kerberos is used in Windows 2000)

• About Mutual Authentication Using Kerberos

• Windows 2000 Security Services Features

• Windows 2000 Kerberos Authentication

• Windows 2000 Kerberos Authentication

• Support WebCast: Introduction to Kerberos

• SSPI/Kerberos Interoperability with GSSAPI

• Security Services

• Security: Technical Information

• Windows 2000 Kerberos Interoperability

• Introduction to Windows 2000 Security Services

Kerberos Use in Windows 2000

The following are links to articles that talk about Kerberos in Windows 2000

• Kerberos Made to Heel To Windows 2000 -- ZDNet: Inter@ctive Week

• Kerberos is on Guard in Windows NT 5.0 -- Windows 2000 Magazine Online

• Kerberos in Win2K -- Windows 2000 Magazine Online

• Kerberos Authentication -- Web Developer Journal at developer.com

• Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utility -- MSDN Magazine

• Exploring Kerberos, the Protocol for Distributed Security in Windows 2000 -- Microsoft Systems Journal

• Kerberos: Authentication in Windows 2000 -- Windows TechEdge

• Kerberos Cryptography Secures NT 5 Communications -- Network World Fusion

• Microsoft and CyberSafe Extend Windows 2000 Security Across the Enterprise  -- Microsoft PressPass

Kerberos Use in Solaris (Sun's white papers)

• The Solaris 8 Operating Environment and Microsoft Windows 2000 -- Race for Control of Web Infrastructure

• Sun Solaris Security

• Secure Enterprise Computing with the Solaris 8 Operating Environment

• Security in the Solaris Operating Environment

• CyberSafe Challenger from Cybersafe Corporation

Kerberos Use in Macintosh

• State of Macintosh Kerberos Authentication

• Apple to Include MIT's Kerberos in New Mac OS

• Kerberos on the Macintosh

• Macintosh Development at MIT

• MIT to Bring Kerberos Network Security to Apple's Mac OS X

Kerberos At Cisco (In Cisco's IOS)

• Troubleshooting/Configuring Kerberos V5 Client Support

• Authentication Documentation

• Configuring Kerberos

• Kerberos White Paper Part I -- Kerberos: An Authentication Service for Open Network Systems

• Kerberos Commands

Kerberos At SAP

• Secure Network Communications and Secure Store & Forward Mechanisms with the SAP R/3 System

Kerberos and Web Servers

• Apache Kerberos

• HTTPd with Kerberos Support

Kerberos On Campus

• Kerberos at Stanford

• Kerberos at University of Wisconsin-Madison

• Kerberos at Cornell

• Kerberos at UC-Davis

• Kerberos at Berkeley

• Kerberos at SIU-C

• Kerberos at MIT

Proposed New Technologies to Kerberos

Public Key Cryptology

• Distributed Authentication in Kerberos Using Public Key Cryptography by Marvin A. Sirbu and John Chung-I Chuang

• Public-Key Based Ticket Granting Service in Kerberos -- Internet Draft by M. Sirbu and J. Chuang

• Crypto-Log -- A general Cryptology Site (Contains Information on all types of Cryptology including public-key and the DES algorithm that Kerberos uses)

• Webopedia definition of Public-Key Cryptology

PC Cards and Smart Cards

• PCMCIA -- The Worldwide Organization for Modular Peripherals
• PC Card Standard
• PCMCIA Current Topics
• SkyLINE Wireless PC Card
• Smart Cards: Readings and Resources