Uses of kerberos?
Dustin
dustin_dortch at hotmail.com
Sat May 4 16:28:34 EDT 2002
I think Töns hit it pretty dead on. The main differences with
MS-Kerberos have to do with the PAC, which is essentially a "ticket"
to access resources. In a Windows NT 4.0 domain, for example, you
authenticate to the PDC/BDC, and then try to access a resource. Once
you request a resource, the server providing the resource will ask the
PDC/BDC for verification of your authentication credentials. This
creates redundant traffic, and exposes many security holes. In this
scenario, you are giving your username and password to the server.
This is inherently unsafe. This server could be "masquerading" on the
network just to record your credentials. Instead of doing this,
kerberos tickets are like passes. In a concert, you may have a pass
that allows you to go backstage, and you just need to flash your pass,
rather than looking everything up. Without other measures, each still
suffer from a big security hole. Even with encrypted authentication
methods, you do not need the password. You could record the protocol
in operation, and then "replay" it to gain access to resources. The
PAC is time based. It takes the current timestamp and uses it in the
encryption process. It is only valid for a certain period of time,
and then is discarded from that point on. So, the main benefits of
kerberos are reduced traffic, and better security. I hope this helps,
and I hope I was clear enough.
Dustin
Network+, MCP(x3)
More information about the Kerberos
mailing list