Kerberos
What is Kerberos (a quick description)?
Originally developed at MIT, Kerberos is an authentication service. An authentication service is merely a way of assuring that a user is who they claim to be. Kerberos accomplishes this by using a ticket system, which will be described later. Kerberos also provides encryption for its services, in hopes of allowing the authentication process to be less vulnerable to attacks over a network. The default cryptography algorithm for Kerberos V4 is DES (Data Encryption Standard), which has been shown to be crackable. Although the standard still requires DES to be available in Kerberos, it will soon require the use or triple-DES (168 bit). Kerberos V5 is more modular and allows you to switch algorithms easier than V4. Cryptography is considered a munition by the US government and is therefore not allowed to be exported. The overseas versions of Kerberos, exported without the cryptology algorithm, is referred to as bone or e-bones. Kerberos is a standard within the Internet Engineering Task Force.
How Kerberos works:
If a user intends to access a ftp service on a Kerberos enabled machine, he must first initialize himself with the KDC. Upon initialization, the user is granted a ticket granting ticket (TGT). The ftp service must also initialize itself with the KDC. Once the user and the ftp service have been issued TGT's, the user can proceed with an attempt to access the ftp service.
The next step requires the user to inform the KDC that he wants to access the ftp service on a certain machine. The KDC then creates two copies a session key. This key will only be used by the user and the ftp service for direct communication between one another. Both copies of the session key are sent to the user. However, one key is encrypted from the user's TGT, the other is encrypted from the ftp services' TGT. When the user receives both copies of the session key, he is only able to decrypt the copy encrypted form his own TGT. The user then encrypts a timestamp from his local machine using the session key granted by the KDC. This encrypted timestamp and the second copy of the encrypted session key are then sent by the user to the ftp service.
The ftp service first decrypts the second copy of the session key using its TGT. It then uses the session key to decrypt the users timestamp. If the timestamp is within a given window, the ftp service continues the session with the user. The session can be encrypted using the session key. If the timestamp falls outside of the allotted window, the ftp service kills the session.
The Kerberos Pages (the really important ones)
Kerberos: The Network Authentication Protocol -- This is the MIT webpage for Kerberos
The Moron's Guide to Kerberos, Version 1.2.2 -- This is one of the most referenced web sites on Kerberos, the author of this web site, Brian Tung, also wrote the Kerberos book. Kerberos: A Network Authentication System
RFC 1510 from the Internet Engineering Task Force -- The Kerberos Network Authentication Service (V5)
The Kerberos Network Authentication Service -- The Information Sciences Institute at USC
Kerberos: An Authentication Service for Computer Networks -- IEEE Communications Magazine, 1994
How to Kerberize Your Site -- Oak Ridge National Laboratory
General Kerberos Pages
Kerberos Articles
Kerberos/DCE, the Secure Shell, and Practical Internet Security by Wayne Schroeder, San Diego SuperComputer Center
Kerberos: A Secure Passport -- UnixReview.com
How the Kerberos Protocol Works -- Byte
Security Through Obscurity -- Wide Open News
Microsoft's Kerberos Pages (Kerberos is used in Windows 2000)
Kerberos Use in Windows 2000
The following are links to articles that talk about Kerberos in Windows 2000
Kerberos Made to Heel To Windows 2000 -- ZDNet: Inter@ctive Week
Kerberos is on Guard in Windows NT 5.0 -- Windows 2000 Magazine Online
Kerberos in Win2K -- Windows 2000 Magazine Online
Kerberos Authentication -- Web Developer Journal at developer.com
Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utility -- MSDN Magazine
Exploring Kerberos, the Protocol for Distributed Security in Windows 2000 -- Microsoft Systems Journal
Kerberos: Authentication in Windows 2000 -- Windows TechEdge
Kerberos Cryptography Secures NT 5 Communications -- Network World Fusion
Microsoft and CyberSafe Extend Windows 2000 Security Across the Enterprise -- Microsoft PressPass
Kerberos Use in Solaris (Sun's white papers)
Kerberos Use in Macintosh
Kerberos At Cisco (In Cisco's IOS)
Kerberos White Paper Part I -- Kerberos: An Authentication Service for Open Network Systems
Kerberos At SAP
Kerberos and Web Servers
Kerberos On Campus
Proposed New Technologies to Kerberos
Public Key Cryptology
Distributed Authentication in Kerberos Using Public Key Cryptography by Marvin A. Sirbu and John Chung-I Chuang
Public-Key Based Ticket Granting Service in Kerberos -- Internet Draft by M. Sirbu and J. Chuang
Crypto-Log -- A general Cryptology Site (Contains Information on all types of Cryptology including public-key and the DES algorithm that Kerberos uses)
PC Cards and Smart Cards