Does Kerberos Encrypt Authentication AND Traffic?

Russ Allbery rra at stanford.edu
Fri Sep 10 18:09:23 EDT 2004


testls <testls at netscape.net> writes:

> Does Kerberos Encrypt Authentication AND Traffic?

> Some are saying that Kerberos will only encrypt the authentication. 

> Others are saying that Kerberos will encrypt BOTH the AUTHENTICATION and
> the TELNET SESSION.

> Which is true?

If you're talking about the telnet/telnetd implementation that comes with
MIT Kerberos, both are true.  Authentication and encryption are separately
negotiated, so you can choose whether to encrypt only the authentication
or encrypt both the authentication and the rest of the session.

If you're talking about Kerberos in the purest, most minimal sense as a
wire protocol, it provides a mechanism for negotiating a session key but
does not deal directly with what to do with that session key afterwards.

If you're talking about GSSAPI as a wire protocol, it has a mechanism for
negotiating privacy.

So it all depends on what context you're discussing these things in.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list