Register to read the introduction…
We were disappointed to learn that Kerberos wasn't going to solve our problems of networkwide user management. Kerberos doesn't replace even aged technology such as Sun Microsystems' Network Information Service (NIS), since it doesn't supply the necessary account information found in Unix's /etc/passwd file or the ability to manage user rights or control access to network resources. Basically, Kerberos lacks the directory services that make products like Novell Directory Services (NDS) an attractive answer for network security management.
…show more content…
Also, QUALCOMM's Eudora E-Mail package includes support for Kerberized Post Office Protocol (POP) sessions, providing users in a Kerberos environment with secure access to their e-mail. However, if you're looking for commercial support, consider DCE, which uses Kerberos as the foundation for its Security Service.
The Kerberos Security Model. Kerberos is an implementation of a security model based on trust. It specifies an algorithm for authenticating users without transmitting passwords across the network in plain text. It provides a facility to distribute secret encryption keys in a secure fashion. Each host on a network trusts none other than the Kerberos server, pushing all security into a central location, which can be guarded more easily.
To use Kerberos, a user first logs in and obtains a ticket-granting-ticket (TGT). This is later used to obtain service tickets from the Kerberos server when the user attempts to log into a remote host or service. Since the Kerberos server is trusted by every machine in the realm or region served by that Kerberos server, the tickets effectively vouch for users' identities, granting them access to the machine. Also, Kerberos tickets contain session keys, which can be used to encrypt network traffic. …show more content…
We know that network transmissions can easily be intercepted, so Kerberos must protect these tickets from forgery.
For this reason, Kerberos uses encrypted time stamps on transactions and adds an expiration time to every ticket. An intercepted ticket will become useless once it expires. By default, Kerberos rejects any tickets with a time stamp that is more than five minutes off. This, however, means that nodes in the Kerberos realm should be set with the correct time.
Kerberos Principals. User accounts in Kerberos are called principals. Every user, node or service on the network must have an entry in this database, and a corresponding encryption key (based on a password). Kerberos authenticates sessions between principals using tickets, which are encrypted using various principals' keys. Authentication occurs when the server successfully decrypts a ticket to find the user's
Also, QUALCOMM's Eudora E-Mail package includes support for Kerberized Post Office Protocol (POP) sessions, providing users in a Kerberos environment with secure access to their e-mail. However, if you're looking for commercial support, consider DCE, which uses Kerberos as the foundation for its Security Service.
The Kerberos Security Model. Kerberos is an implementation of a security model based on trust. It specifies an algorithm for authenticating users without transmitting passwords across the network in plain text. It provides a facility to distribute secret encryption keys in a secure fashion. Each host on a network trusts none other than the Kerberos server, pushing all security into a central location, which can be guarded more easily.
To use Kerberos, a user first logs in and obtains a ticket-granting-ticket (TGT). This is later used to obtain service tickets from the Kerberos server when the user attempts to log into a remote host or service. Since the Kerberos server is trusted by every machine in the realm or region served by that Kerberos server, the tickets effectively vouch for users' identities, granting them access to the machine. Also, Kerberos tickets contain session keys, which can be used to encrypt network traffic. …show more content…
We know that network transmissions can easily be intercepted, so Kerberos must protect these tickets from forgery.
For this reason, Kerberos uses encrypted time stamps on transactions and adds an expiration time to every ticket. An intercepted ticket will become useless once it expires. By default, Kerberos rejects any tickets with a time stamp that is more than five minutes off. This, however, means that nodes in the Kerberos realm should be set with the correct time.
Kerberos Principals. User accounts in Kerberos are called principals. Every user, node or service on the network must have an entry in this database, and a corresponding encryption key (based on a password). Kerberos authenticates sessions between principals using tickets, which are encrypted using various principals' keys. Authentication occurs when the server successfully decrypts a ticket to find the user's