Kerberos

William Stallings, Independent Consultant

Introduction

Motivation

Kerberos Version 4

Kerberos Version 5

Performance Issues

Conclusion

Glossary

Cross References

References

Further Reading

INTRODUCTION

Kerberos is an authentication service developed as part of Project Athena at MIT. The problem that Kerberos addresses is this: Assume an open distributed environment in which users at workstations wish to access services on servers distributed throughout the network. We would like for servers to be able to restrict access to authorized users and to be able to authenticate requests for service. In this environment, a workstation cannot be trusted to identify its users correctly to network services. In particular, the following three threats exist:

• A user may gain access to a particular workstation and pretend to be another user operating from that workstation.
• A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation.
• A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations.

In any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access. Rather than building in elaborate authentication protocols at each server, Kerberos provides a centralized authentication server with the function of authenticating users to servers and servers to users. Unlike many ...