United States - English

Australia - English

Belgium & Luxembourg - English

Latin America - Español

Netherlands - Dutch

New Zealand - English

Russia - Росси́я

Scandinavia - English

South East Asia - English

Spain - Español

United Kingdom - English

Integration and Identity Management Technologies Glossary		Home > Integration and Identity Management Technologies Glossary > Kerberos		Print Page		Request a Quote		Email Page

Overview

Security Glossary

Kerberos

Kerberos is a network authentication protocol developed at the Massachusetts Institute of Technology (MIT). It is designed to provide strong authentication for client/server applications across insecure network connections by using secret-key cryptography. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptographic ciphers such as DES.

Kerberos works by providing principals (users or services) with tickets that they can use to identify themselves to other principals and secret cryptographic keys for secure communication with other principals. A ticket is a sequence of a few hundred bytes. The ticket can then be embedded in virtually any other network protocol, thereby allowing the processes implementing that protocol to be sure about the identity of the principals involved.

Kerberos provides for mutual authentication and secure communication between principals on an open network by manufacturing secret keys for any requestor and providing a mechanism for these secret keys to be safely propagated through the network. Kerberos does not, strictly speaking, provide for authorization or accounting, although applications may use their secret keys to perform those functions securely.

There are several versions and distributions of Kerberos. Most of them are based on the MIT distributions. Some of the distributions are freely available, some are stand-alone commercial products, and others are part of larger free or proprietary systems. MIT Kerberos versions 4 and 5 are freely available. Versions 4 and 5 are based on completely different protocols, however version 5 contains some compatibility code:

The Kerberos server can optionally service version 4 requests
There is a program to convert a version 4 format Kerberos database to a version 5 format database
An administration server that accepts version 4 requests and operates on a version 5 database is provided

Figure: Kerberos Protocol

Kerberos Protocol Figure