Does Kerberos Encrypt Authentication AND Traffic?
raeburn at MIT.EDU
Fri Sep 10 18:09:56 EDT 2004
On Sep 9, 2004, at 20:06, testls at netscape.net wrote:
> Does Kerberos Encrypt Authentication AND Traffic?
Kerberos, the protocol, will authenticate using encryption, and provide
an encryption key that can be used by an application protocol (such as
telnet) or another sub-application mechanism (like the krb5 gssapi
mechanism, which is used by ftp for example).
When you say "encrypt authentication", it sounds to me like you're
thinking of encrypting a password exchange. The authentication isn't
an exchange which happens to be encrypted; the cryptography is part of
the authentication method in the base protocol. Successful decryption
(and subsequent verification) of some data, which does not include a
password, is how an identity is authenticated.
Kerberos, the software package from MIT, implements the Kerberos
protocol, and has applications which can generally behave either way as
far as encrypting the session. It is not the only software package
which implements the Kerberos protocol.
> Some are saying that Kerberos will only encrypt the authentication.
> Others are saying that Kerberos will encrypt BOTH the AUTHENTICATION
> and the TELNET SESSION.
Depends on the application protocol and the software, and whether
you're referring to the base Kerberos protocol, the MIT Kerberos
package, or application protocols using Kerberos.
More information about the Kerberos