What is 'Kerberos'?

Kerberos is an authentication service developed at MIT.

In the traditional approach to authentication, which is known as authentication by assertion the program that runs on behalf of the user (the client) asserts to the secondary service that it is a bona fide representative of the user. The service usually authenticates the client by asking it for some secret information, such as a password.

There are two main problems with this:

• If a client program makes use of several services, then this requires several logins by the user. The provision of a password for each secondary service means that the set of services cannot be used transparently, and it makes for a bad user experience.
• If passwords are transmitted in an unencrypted form to a remote service, then this represents a security vulnerability, as the passwords might be intercepted en route.

Kerberos works in a slightly different way, in that a user must provide a valid ticket when contacting a service. Tickets are issued by the Kerberos authentication server and demonstrate knowledge that only the bearer can know, such as a password.

Kerberos requires that both the user and the service be registered with the authentication service. When the client wants to contact the service, it first talks to the authentication service, and is issued with a ticket. The ticket is then passed to the service along with the service request. The ticket has an expiry time of about 5 minutes after the initial request, and is also encrypted, so is very difficult to forge.

For more details on how Kerberos works, read the introduction at www.isi.edu

Other Terms