 |
|
| ||||||||||||||||||||||||||
|
|
| ||||||||||||||||||||||||||
|
|
|
|
|
| ||||||||
Kerberos is a computer network authentication protocol designed for use on insecure networks (the Internet for example), based on the key distribution model of Needham and Schroeder. It allows individuals communicating over a network to prove their identity to each other while also preventing eavesdropping or replay attacks, and provides for detection of modification and the prevention of unauthorized reading. For some time, Kerberos was classed as a munition within the United States, and could not be exported because it used the DES encryption algorithm (with 56-bit keys). A non-US implementation was developed in Sweden which made the system available outside the US before the US export regulations were changed (by 2000 — more or less).
Kerberos has become commercially important since Microsoft introduced a version of Kerberos in the Windows 2000 version of the Microsoft Windows operating system.
The protocol can be specified as follows in security protocol notation, where Alice (A) is authenticating herself to Bob (B) using a server S:
<math>A \rightarrow S: A,B<math>
<math>S \rightarrow A: \{T_S, L, K_{AB}, B, \{T_S, L, K_{AB}, A\}_{K_{BS}}\}_{K_{AS}}<math>
<math>A \rightarrow B: \{T_S, L, K_{AB}, A\}_{K_{BS}}, \{A, T_A\}_{K_{AB}}<math>
<math>B \rightarrow A: \{T_A + 1\}_{K_{AB}}<math>
We see here that the security of the protocol relies heavily on timestamps being reliable indicators of the freshness of a communication (see the BAN logic).
Kerberos is freely available from MIT, under copyright permissions similar to those used for BSD. There is an RFC for Kerberos 5: RFC 1510. The IETF is currently (as of 2004) standardizing an updated version.
|
||||
| View Live Article | This article is from Wikipedia. All text is available under the terms of the GNU Free Documentation License | |
||
