Why Kerberos?

demonstrating possession of secret information. In this manner, Kerberos solves traditional problems involved with authentication.

Historical Evolution of Kerberos

The name Kerberos comes from Greek mythology; Cerberos was the three-headed dog that guarded the entrance to Hades. Kerberos is a network authentication protocol developed by MIT (Massachusetts Institute of Technology) as part of Project Athena, which started in 1983 when MIT decided to integrate network computers as part of its campus curriculum. The goals of Athena were the integration of a SSO (Single Sign-on), networked file systems, a unified graphical environment, and a naming convention service.

Kerberos has since evolved into a strategic security standard that provides secure authentication services to users, applications, and network devices, which eliminates the threats caused by passwords being stored or transmitted across the network. Additionally, Kerberos provides data integrity to ensure messages are not tampered with on the network and message privacy (encryption) to ensure messages are not visible to eavesdroppers on the network.

The Kerberos model is partly based on Needham and Schroeder's trusted third-party authentication protocol. Versions one through three never reached outside MIT, but version 4 was (and still is) quite popular, especially in the academic community. It is also used in commercial products like the AFS filesystem.

The problem statement discussed the problems associated with traditional authentication methods and, in particular, how passwords are vulnerable because they travel unencrypted over the network. Password-based authentication is also inconvenient; users do not want to enter a password each time they access a network service.

Kerberos is designed to eliminate the need for users to demonstrate possession of private or secret information (the password). Instead, Kerberos disseminates this information. Kerberos Server lets entities authenticate themselves, without transmitting their passwords in clear text over the network.

Commonly used to secure particularly vulnerable network communications like ftp, telnet, and other widely used Internet protocols that normally transmit user IDs and passwords in clear text, Kerberos provides the "plumbing" for common authentication services. Its scalability means that Kerberos is ideal for large networks such as those used by governments, telecommunication networks, and major financial institutions.

Kerberos Basics

Kerberos uses secret-key cryptography, which lets entities communicating over networks prove their identity to each other while preventing eavesdropping or replay attacks. It also provides data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using Data Encryption Standards such as DES, 3DES, and AES.

Kerberos is based on the concept of a trusted third party that performs secure verification of users and services. In the Kerberos protocol, this trusted third party is called the key distribution center (KDC).

Kerberos is used to verify that users and the network services they use are really who and what they claim to be. To accomplish this, a trusted Kerberos Server issues tickets to users. These tickets, which have a limited lifespan, are stored in a user's credential cache and can be used in place of the standard username-and-password authentication mechanism. The ticket can then be embedded in virtually any other network protocol, thereby letting the processes implementing that protocol to be sure about the identity of the principals involved.