Changes between Initial Version and Version 1 of Kerberos

01/30/12 14:35:44 (11 years ago)



  • Kerberos

    v1 v1  
     1Stolen from /mit/ghudson/info/athena 
     4Many Athena services use a security system called Kerberos.  Kerberos 
     5can be thought of as a service for negotiating shared secrets between 
     6unfamiliar parties. 
     8A central server called a KDC (Key Distribution Center) has a 
     9pre-shared secret with each user and with each service.  The secrets 
     10shared with users are conventionally called "passwords"; the secrets 
     11shared with services are conventionally called "keytabs" (or 
     12"srvtabs", in older jargon).  Together, users and services are called 
     15When one principal requests to negotiate a shared key with another 
     16principal, the KDC makes up a random new key (called a "session key"), 
     17encrypts it once in each principal's key (along with a bunch of other 
     18information), and sends both pieces of ciphertext back to the first 
     19principal, which will in turn send the appropriate part to the second 
     20principal when it is ready to talk.  Since both principals can get at 
     21the session key by decrypting their bit of ciphertext, they now have a 
     22shared secret which they can use to communicate securely.  Kerberos 
     23clients record these bits of information in "credential caches" (or 
     24"ticket files" in older jargon; neither term is particularly correct 
     25since the file is not strictly a cache and stores more than just 
     28There are two versions of the Kerberos protocol in use on Athena, 4 
     29and 5.  The Kerberos 5 protocol supports more features and different 
     30types of cryptographic algorithms, but is also a great deal more 
     33See for more complete and precise 
     34information about Kerberos.  Athena services which use Kerberos 
     35include AFS, discuss, zephyr, olc, moira, and remote login and FTP 
     36(when both parties support it).