Introduction

This lesson lays the groundwork for learning Kerberos.

We'll cover the following
widget

For folks who love trivia, the name Kerberos comes from Greek mythology. In those myths, Kerberos, or Cerberus, is a three-headed guard dog. It is also called the hound of Hades, who was the god of the dead and the underworld. Kerberos guarded the gates of the underworld where the dead lived, and it prevented them from leaving. In computer science, Kerberos is part of the Athena project at MIT. It was named Kerberos because it involves three entities, much like the three-headed dog, which communicate to ascertain a client and a server’s identity. A trusted third-party called the Key Distribution Center, or KDC for short, helps a client and a service prove their identities to each other.

Informally, we can describe Kerberos as a supreme service that tells others, “Yes, you can trust me, and this person is who they claim to be.” Nothing more. Formally, it is a network authentication system that solves two important issues in an untrusted network:

  1. It allows the user to access all resources (e.g. printers, services) using only a single password.

  2. It encrypts messages passed over the network and ensures message integrity. We’ll study encryption and integrity in detail in upcoming lessons.

Kerberos is a secure, single-sign-on, trusted third party, and mutual authentication service:

  • Secure: Kerberos is secure because it never transmits passwords over the network. In fact, it uses a novel approach of sending time-bound cryptographic messages that expire after a set interval to prove the identity of a user to a given server.

  • Single-Sign-On: Kerberos allows a user to type in their password only once and then access various kerberized services for a set period within a Kerberos realm without the need to re-enter the password.

  • Trusted third party: Kerberos employs a centralized authentication server known as the KDC (Key Distribution Center) that all other entities in the network trust. All authentication requests are routed through this server.

  • Mutual authentication: In Kerberos, two communicating parties prove their identities to each other. For instance, a user in a network using Kerberos can authenticate to a mail server implying, “I am who I claim to be,” and in return, the mail server proves that it is indeed the mail server and not some other service in the network pretending to be the mail server.

Evolution

Kerberos began at MIT in the early 80s as a research project. It went through various versions before being publicly available outside of MIT. The initial versions, v1, v2, and v3, were used internally in MIT. In 1989, v4 was released as the first publicly available version within the US. It was quickly adopted by several vendors. However, because of US export restrictions at the time, v4 couldn’t be exported outside of the US and a workaround was devised whereby v4 was stripped of all encryption and made available to universities outside of the US. The stripped-down version was picked up and retrofitted with custom encryption by universities outside of the US, thus making Kerberos v4 usable world-wide. Since 2003 the export restrictions have been lifted, and now the latest and greatest version of Kerberos, v5, can be downloaded and used freely. Kerberos v5 is documented in RFC 1510.

Implementations

Kerberos is a protocol that has been implemented by different vendors, some of which are discussed below:

  1. MIT Kerberos: This is the original implementation of the Kerberos protocol, which was born out of Project Athena in the early 90s.

  2. Heimdal: Due to exportation restrictions on cryptography technology, MIT Kerberos couldn’t be used outside of the USA. Another equivalent implementation of Kerberos, called Heimdal, was developed in Sweden. The Swedish Kerberos aims to be fully compatible with the MIT Kerberos. In 2000, export restrictions were lifted and now both implementations coexist on a wider scale.

  3. Active Directory: This is a name service that maps the names of network resources to their respective network addresses developed by Microsoft. It is not a full Kerberos implementation by itself, rather, it is Microsoft’s directory that consists of a loose Kerberos implementation along with some other services like LDAP. It is incompatible with MIT Kerberos and Heimdal.

  4. Trust Broker: A commercial implementation of the Kerberos protocol, developed by CyberSafe. It supports a wide range of operating systems such as Windows, Unix, Linux, etc., and it is interoperable with many existing Kerberos implementations, ranging from MIT to Microsoft’s AD.

  5. Shishi: This is a GNU implementation of Kerberos.

In the next lesson, we will look at the distinction between authentication and authorization and learn about auditing.