• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Network Security FAQs
• What is a firewall?
• How does firewall protection work?
• Where can I download a free firewall?
• What is a personal firewall?
• Where can I download a free personal firewall?
• What is a mobile firewall?
• How do I configure wireless security?
• What is a DMZ?
• What is an Intrusion Detection System (IDS)?
• What is a packet sniffer?
• How do I monitor Wireless Traffic?
• What is a port scanner?
• What is port forwarding?
• What is a VPN (Virtual Private Network)?
• What is a IPsec?
• What is a ISAKMP?
• What is a IKE?
• What is TLS (Transport Layer Security)?
• What is a TCP sequence prediction attack?
• What is packet fragmentation?
• What are possible defenses against a botnet attack?
• What is a honeypot?
• What is a Denial of Service (DoS) attack?
• What is IP address spoofing?
• What is cyber-warfare?
• What is identity management?
• What is federated identity management?
• What is single sign-on?
• What is role based access control?
• What is AAA?
• What is authentication?
• What is authorization?
• What is accounting?
• What is RADIUS?
• What is SAML?
• What is Kerberos?
• What is LDAP?
• What security issues does LDAP have?
• What is two factor authentication?
• What are biometrics?
• What is a honey monkey?
• What are the rainbow books?
• How do I disable the XP firewall?
• What are the main online security threats?
• How do I disable the Netgear Router firewall?
• What is Cisco VPN error 412?
• What is Peer Guardian?
• What is a RADIUS Server?
• What is Access Control?
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

What is Kerberos?

Kerberos is a network authentication protocol which utilizes symmetric cryptography to provide authentication for client-server applications.

The Kerberos Standard Definition

Kerberos is defined in RFC 1510 - The Kerberos Network Authentication Service (V5).

The Kerberos Architecture

The core of a Kerberos architecture is the KDC (Key Distribution Server). The KDC stores authentication information and uses it to securely authenticate users and services.

This authentication is called secure because it:

• Does not occur in plaintext
• Does not rely on authentication by the host operating system
• Does not base trust on IP addresses
• Does not require physical security of the network hosts

The KDC acts as a trusted third party in performing these authentication services.

Due to the critical function of the KDC, multiple KDC's are normally utilized. Each KDC stores a database of users, servers, and secret keys.

Kerberos clients are normal network applications which have been modified to use Kerberos for authentication. In Kerberos slang, they have been Kerberized.

The Kerberos Protocol

Kerberos defines ten messages that make up the Kerberos protocol:

KRB_AS_REQ	Kerberos Authentication Service Request
KRBAS_REP	Kerberos Authentication Service Reply
KRB_AP_REQ	Kerberos Application Request
KRB_AP_REP	Kerberos Application Reply
KRB_TGS_REQ	Kerberos Ticket Granting Service Request
KRB_TGS_REP	Kerberos Ticket Granting Service Reply
KRB_SAFE	Kerberos Safe (Checksummed) Application Message
KRB_PRIV	Kerberos Private (Encrypted) Application Message
KRB_CRED	Kerberos Credentiials
KRB_ERROR	Kerberos Error

Kerberos Implementations

MIT Kerberos is the reference implementation. MIT Kerberos supports DEC Unix, Linux, Irix, Solaris, Windows and MacOS.

Several other commercial and non-commercial Kerberos implementations are also available.

Microsoft added a slight modified version of Kerberos v5 authentication in Windows 2000.

Kerberos Weaknesses

Because the KDC's store secret keys for every user and server on the network, they must be kept completely secure. If an attacker were to obtain administrative access to the KDC, he would have access to the complete resources of the Kerberos realm.

Kerberos tickets are cached on the client systems. If an attacker gains administrative access to a Kerbos client system, he can impersonate the authenticated users of that system.

Kerberos Encryption Protocols

Kerberos uses the DES algorithm for encryption. Kerberos also supports the CRC-32, MD4, MD5, and DES algorithms for checksums. Kerberos implementations are free to add additional algorithms for encryption and checksumming.

Additional Reading on Kerberos

RFC 1510 is an excellent resource for understanding the Kerberos protocol.

The Kerberos FAQ is also very well written and answers many questions that you will have.

If you prefer a printed book, Kerberos: The Definitive Guide is available from O'Reilly.

Purchase Kerberos: The Definitive Guide at Amazon.com

Free White Papers on Networking

Vulnerability Management for Dummies

Our friends at Qualys are offering free copies of the electronic version of Vulnerability Management for Dummies to Tech-FAQ readers. Vulnerability Management for Dummies: Explains the critical need for vulnerability management Details the essential best-practice steps of a successful vulnerability management program Outlines the various vulnerability management solutions - including the advantages and disadvantages of each Highlights the award-winning QualysGuard vulnerability management solution Provides a ten point checklist for removing vulnerabilities from your key resources

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum