Kerberos Overview

The Kerberos protocol was designed by the Massachusetts Institute of Technology (MIT) to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos keeps a database of its clients and their private keys. The private key is a large number known only to Kerberos and the client to which it belongs. If the client is a user, it is an encrypted password. Network services requiring authentication register with Kerberos, as do clients wanting to use those services. The private keys are negotiated at registration.

Because Kerberos knows these private keys, it can create messages that convince one client that another is really who it claims to be. Kerberos also generates temporary private keys, called session keys , which are given to clients and no one else. A session key can be used to encrypt messages between two parties.

Kerberos provides three distinct levels of protection. The application programmer determines which is appropriate, according to the requirements of the application. For example, some applications require only that authenticity be established at the initiation of a network connection and can assume that further messages from a given network address originate from the authenticated party.

Other applications require authentication of each message but do not care whether the content of the message is disclosed. For these, Kerberos provides safe messages. Yet a higher level of security is provided by private messages, where each message is not only authenticated but also encrypted. Private messages are used, for example, by the Kerberos server itself for sending passwords over the network.

You can find more information on Kerberos at http://web.mit.edu/kerberos/www/ .

PAP, CHAP, and EAP Authentication

Traditionally, remote users dial in to an access server to initiate a PPP session. PPP is the standard encapsulation protocol for the transport of different network protocols across Integrated Services Digital Network (ISDN), serial, or Public Switched Telephone Network (PSTN) connections.

PPP currently supports three authentication protocols: PAP and CHAP at the network layer, and EAP authentication at the link layer. These protocols are specified in RFCs 1334 and 2284. They are supported on synchronous and asynchronous interfaces. Authentication via PAP or CHAP is equivalent to typing in a username and password when prompted by the server. CHAP is considered to be more secure because the remote user's password is never sent across the connection.

EAP is an authentication framework that runs directly over an IEEE 802 or PPP data link layer, allowing the use of many different authentication types.

0 0

Post a comment