reserach help

Kevin L. Mitchell klmitch at MIT.EDU
Mon Jan 17 00:46:11 EST 2005


On Sun, 2005-01-16 at 06:52, Mark Goddard wrote:
> I'm a student in the UK at the royal military college of science and am 
> having to do some research on kerberos for my command and control degree i 
> came across your website and I was wondering if you could help me wither by 
> supplying me with some information on kerberos or perhaps directing me to 
> somewhere i might be able to find the info.

The Kerberos protocol is documented in RFC 1510.  Additional RFCs
document other aspects of Kerberos and its use with other protocols. 
Kerberos is basically a modified Needham-Schroeder trusted third-party
cryptographic protocol.  (I would recommend picking up a copy of (at
least) Bruce Schneier's _Applied Cryptography_, which describes a number
of cryptographic protocols like Needham-Schroeder and explains why they
work...)

> I am trying to find out
> 
> 1.  How can a kerberos transaction be protect over the net

Pure Kerberos messages don't really need any additional protection. 
Kerberos uses keys shared by a principal and a Key Distribution Center
to perform what is essentially a secure cryptographic key negotiation. 
The protocol does have provisions for hardware-based preauthentication
in the case of user principals, but I'm not very familiar with the
extension.

(If, on the other hand, you're asking about how these transactions can
be secure at all, I highly recommend reading _Applied Cryptography_. 
Schneier goes into a lot of detail about a number of theoretical and
practical cryptographic protocols and how they are able to accomplish
what they are able to accomplish...)

> 2.  How does a kerberos user communicate with a non-kerberos user over the 
> net

That question really doesn't have much meaning.  A Kerberos user
communicates with a non-Kerberos user in the normal way.  When both ends
of the link use Kerberos, however, it is possible to secure that
communication such that a third party cannot hijack or fake the
connection.  Moreover, the communication can then be encrypted using the
"session" key generated by the initial Kerberos protocol exchanges. 
These are optional pieces of the protocol, however; the very basic,
bare-bones Kerberos protocol provides strong authentication, and the
rest comes as an integral side-effect.

> 3. has the adoption of kerberos by microsoft improved windows security?

The addition of Kerberos allows Windows to make use of a strong
authentication scheme to verify user identities.  However, the vast
majority of Windows security problems are due to flaws in software:
Outright bugs that allow a remote attacker to inject code and force it
to be executed (buffer overflows, etc.); poor security decisions when
writing programs or designing protocols, often in the name of ease of
use; and insecure default configurations--also often in the name of ease
of use.  Kerberos does not and cannot address these problems.

> Any help would be hugely appriciated

Again, I highly recommend that you read _Applied Cryptography_.  (I also
should note that any follow-up questions you may have should probably be
directed to the list, as I am not normally an active contributer here
and have plenty of other things I *should* be doing at the moment...)
-- 
Kevin L. Mitchell <klmitch at mit.edu>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20050117/89650f83/attachment.bin


More information about the Kerberos mailing list