Click here for our home page Click here to find out about us Click here for products & services Click here for support Click here for news Click here for details of our partners Click here for our contact details
CyberSafe logo
Products, Solutions & Services • Technology

 

 

 

 
About Kerberos

 

Kerberos was originally designed by scientists from MIT and the first reference implementation was developed during the Athena project in 1988. It has since evolved in to a strategic security standard and provides secure authentication services to users, applications and network devices, without the threats caused by passwords being stored or transmitted across the network. Additionally, the protocol includes data integrity to ensure messages are not tampered with on the network and message privacy (encryption) to ensure messages are not visible to eavesdroppers on the network. The protocol is appropriately named after the three-headed dog (Cerberos) that, in Greek mythology, guarded the entrance to Hades (the Underworld).

 

A picture of the CyberSafe mascot, a three-headed dog called "Kerby" is shown on the right.

 

 

What is Kerberos ?

 

A standards based security protocol

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications and is also ideal for securing multi-tier application architectures, especially when components of the application reside on different operating systems. Typically the protocol has been used to secure only client/server applications, but with CyberSafe's Web Authentication Solutions it is now possible to use Kerberos to also securely access Web based applications in your network. When Kerberos is used as a common authentication architecture for both non-Web and Web based application authentication the implementation of Secure Single Sign On across these environments becomes a reality. The protocol uses secret-key cryptography, however it can also be complemented with Public Key Infrastructure (PKI) technology by utilising an IETF draft standard called PKINIT allowing X.509 v3 certificate based user authentication instead of username and password. The CyberSafe TrustBroker™ products also support token card based authentication of users.

 

Commonly used

Commonly used to secure particularly vulnerable network communications like ftp, telnet and other widely used Internet protocols, which normally transmit user ID's and passwords in clear text, Kerberos provides the "plumbing" for common authentication services. Its scalability means that it is ideal for large networks such as those used by government, telecommunications and major financial institutions. In our news pages you can read more about the range of applications, operating systems and utilities that are known to utilise the Kerberos protocol today.

 

A reference implementation of the protocol is available from MIT as Open Source and is therefore not supported. The Kerberos protocol has also been used to implemented commercially available and supported products, such as those provided by CyberSafe, and Microsoft who have implemented the Kerberos protocol in the Windows 2000, XP and Windows 2003 operating systems. Some UNIX operating system vendors have also included some support for the protocol in their operating systems and an increasing number of application vendors are recognising the value of this protocol to improve the authentication, integrity and privacy capabilities in their products.

 

Firewall's, and Network Security

The Internet is an insecure place. Many of the protocols used in the Internet do not provide any security. Tools to "sniff" passwords passing through the network are in common use by malicious hackers. Thus, applications which send an unencrypted password over the network are extremely vulnerable. Worse yet, client/server applications often rely on the client program to be "honest" about the identity of the user who is using it. Some applications rely on the client to restrict its activities to those which it is allowed to do, with no other enforcement by the server.

 

Some sites attempt to use firewall's to solve their network security problems. Unfortunately, firewall's assume that "the bad guys" are on the outside, which is often a very bad assumption. Most of the really damaging incidents of computer crime are carried out by insiders. Firewall's also have a significant disadvantage in that they restrict how your users can use the Internet. (After all, firewall's are simply a less extreme example of the dictum that there is nothing more secure then a computer which is not connected to the network --- and powered off!). In many places, these restrictions are simply unrealistic and unacceptable.

 

Kerberos was designed as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

 

In summary, Kerberos is a solution to your network security problems. It provides the tools of authentication and strong cryptography over the network to help you secure your information systems across your entire enterprise. We hope you find Kerberos as useful and as invaluable as it has been to many other companies since it was first designed in 1988.

 

 

How does Kerberos work ?

 

In the tutorials you can find references to explain how the protocol works. We hope you find these tutorials useful, but if you have any questions please let us know.

 

 

Kerberos Protocol Evolution ...

 

The IETF standard specification that defines the Kerberos version 5 protocol is known as RFC1510. This standard was originally issued in September 1993. Since then, the Kerberos protocol has been ported to virtually every operating system, has at least two open source versions, and numerous commercial software vendor implementations. Kerberos evolution has continued over the years, and interoperability has become more important than ever. Also, a number of draft proposals have been issued concerning aspects of new or extended functionality.

 

Rather than Kerberos being a set of standards that evolve separately and cause interoperability issues a specific Security Working Group within the IETF has been established which focuses on the Kerberos protocol and associated standards to ensure improved interoperability moving forwards. The home page of the Kerberos WG can be found here.

 

The Kerberos WG is striving to improve the standards interoperability while improving security, and is currently doing this by:

  • Developing a new Kerberos Clarifications standard which provides detailed clarifications, where previously information in the RFC1510 standard was open to interpretation, and also document improvements to the standard if appropriate. When completed, each vendor using Kerberos will need to ensure that their products comply with the clarifications, by doing so future inconsistencies and interoperability issues will be avoided.
  • Publishing new versions of selected extensions, which will be based on existing draft proposals for these extensions. This will ensure that new or extended functionality can take advantage of the published clarifications standard. The extensions that will add significant value while improving interoperability and security will be considered first.

 

Useful Information and Downloads

 

Many of the documents and downloads provided below are old and specific to Open Source distributions of the Kerberos protocol, or products based on these distributions. The commercially supported CyberSafe TrustBroker™ products are not based on the Open Source reference code, but have been developed and tested to conform to the same IETF standards and for interoperability with other Kerberos protocol implementations. The documents are provided for reference purposes.

 

You will need Adobe Acrobat Reader to view these files.

 

The Kerberos FAQ - Mostly related to the MIT Open Source Kerberos distribution

Administered by Ken Hornstein, <kenh@cmf.nrl.navy.mil>

 

Kerberos - An Authentication Service for Open Network Systems - The original Kerberos paper from Project Athena

Jennifer G Steiner (MIT), Clifford Neuman (University of Washington), and Jeffrey I. Schiller (MIT), January 12th 1988

 

Kerberos Installation Notes - The original installation notes from Project Athena

Bill Bryant (MIT), Jennifer G Steiner (MIT), and John T Kohl (MIT), January 24th 1989

 

Limitations of the Kerberos Authentication System - Discusses issues which are largely addressed in Kerberos v5

Steven M. Bellovin (AT&T Bell Labs), and Michael Merrit (AT&T Bell Labs), Winter 1991 USENIX Conference

 

The Evolution of the Kerberos Authentication Service - Discusses issues with Kerberos v4 and solutions in v5.

John T Kohl (Digital Equipment Corp), Clifford Neuman (ISI), Theodore Y. Ts'o (MIT), 1992

 

Workstation Services and Kerberos Authentication at Project Athena - Discusses the need for credential forwarding etc.

Don Davis (MIT), and Ralph Swick (Digital Equipment Corp), 17th March 1989

 

Kerberos Authentication in Sun RPC for NFS - Explains how Kerberos can secure NFS

Carl Smith, 9th August 1993

 

 

 
 

 

Copyright © 2002-2006 CyberSafe Limited. All rights reserved • Trademarks & Legal InformationPrivacy PolicyReport Email Spam