Professional Documents
Culture Documents
Kerberos (Protocol) : Kerberos Is A Computer Network Authentication Protocol Which Allows Individuals
Kerberos (Protocol) : Kerberos Is A Computer Network Authentication Protocol Which Allows Individuals
Kerberos builds on symmetric key cryptography and requires a trusted third party.
Steve Miller and Clifford Neuman, the primary designers of Kerberos version 4,
published that version in the late 1980s, although they had targeted it primarily for
Project Athena.
Version 5, designed by John Kohl and Clifford Neuman, appeared as RFC 1510 in 1993
(obsoleted by RFC 4120 in 2005), with the intention of overcoming the limitations and
security problems of version 4.
Authorities in the United States classed Kerberos as a munition and banned its export
because it used the DES encryption algorithm (with 56-bit keys). A non-US Kerberos 4
implementation, KTH-KRB developed in Sweden, made the system available outside the
US before the US changed its cryptography export regulations (circa 2000). The Swedish
implementation was based on a version called eBones. eBones was based on the exported
MIT Bones release (stripped of both the encryption functions and the calls to them) based
on version Kerberos 4 patch-level 9. Australian Eric Young, the author of several
cryptography libraries, put back the function calls and used his libdes encryption library.
This somewhat limited Kerberos was called the eBones release. A Kerberos version 5
implementation, Heimdal, was released by basically the same group of people releasing
KTH-KRB.
Windows 2000, Windows XP and Windows Server 2003 use a variant of Kerberos as
their default authentication method. Some Microsoft additions to the Kerberos suite of
protocols are documented in RFC 3244 "Microsoft Windows 2000 Kerberos Change
Password and Set Password Protocols". Apple's Mac OS X also uses Kerberos in both its
client and server versions.
As of 2005, the IETF Kerberos workgroup is updating the specifications. Recent updates
include:
Description
Kerberos uses as its basis the Needham-Schroeder protocol. It makes use of a trusted
third party, termed a Key Distribution Center (KDC), which consists of two logically
separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS).
Kerberos works on the basis of "tickets" which serve to prove the identity of users.
Kerberos maintains a database of secret keys; each entity on the network — whether a
client or a server — shares a secret key known only to itself and to Kerberos. Knowledge
of this key serves to prove an entity's identity. For communication between two entities,
Kerberos generates a session key which they can use to secure their interactions.
Uses
The protocol
One can specify the protocol as follows in security protocol notation, where Alice (A)
authenticates herself to Bob (B) using a server S:
We see here that the security of the protocol relies heavily on timestamps T and lifespans
L as reliable indicators of the freshness of a communication (see the BAN logic).
In relation to the following Kerberos operation, it is helpful to note that the server S here
stands for both authentication service (AS), and ticket granting service (TGS). In
, KAB stands for the session key
between A and B, is the client to server ticket,
confirms B's true identity and its recognition of A. This is required for
mutual authentication.
Kerberos operation
What follows is a simplified description of the protocol. The following shortcuts will be
used: AS = Authentication Server, TGS = Ticket Granting Server, SS = Service Server.
In one sentence: the client authenticates itself to AS, then demonstrates to the TGS that
it's authorized to receive a ticket for a service (and receives it), then demonstrates to the
SS that it has been approved to receive the service.
In more detail: