Does Kerberos Encrypt Authentication AND Traffic?

[Ken Raeburn]

On Sep 9, 2004, at 20:06, testls at netscape.net wrote:
> Does Kerberos Encrypt Authentication AND Traffic?

Kerberos, the protocol, will authenticate using encryption, and provide 
an encryption key that can be used by an application protocol (such as 
telnet) or another sub-application mechanism (like the krb5 gssapi 
mechanism, which is used by ftp for example).

When you say "encrypt authentication", it sounds to me like you're 
thinking of encrypting a password exchange.  The authentication isn't 
an exchange which happens to be encrypted; the cryptography is part of 
the authentication method in the base protocol.  Successful decryption 
(and subsequent verification) of some data, which does not include a 
password, is how an identity is authenticated.

Kerberos, the software package from MIT, implements the Kerberos 
protocol, and has applications which can generally behave either way as 
far as encrypting the session.  It is not the only software package 
which implements the Kerberos protocol.

> Some are saying that Kerberos will only encrypt the authentication.
>
> Others are saying that Kerberos will encrypt BOTH the AUTHENTICATION 
> and the TELNET SESSION.

Depends on the application protocol and the software, and whether 
you're referring to the base Kerberos protocol, the MIT Kerberos 
package, or application protocols using Kerberos.

Ken