Glossary

Kerberos

The acceptance of Kerberos as a common authentication system has been limited until fairly recently. With Microsoft's support of Kerberos in Windows 2000, and Sun's support of Kerberos in Solaris and Java, the number of applications that will accept Kerberos credentials, and that can participate in a secure SSO solution with little or no additional effort, will dramatically increase.

Kerberos is a trusted third-party system that issues credentials conceptually very similar to a Public Key. In the Kerberos model, the trusted third-party is called the Key Distribution Center (KDC). The KDC issues credentials, called "tickets." A Kerberos ticket is necessary in order to access an application that is protected by Kerberos. Kerberos credentials are typically issued with a lifetime of hours or days, instead of the months or years typical of Public Key credentials. For example, an employee authenticates once each morning, and the Kerberos credentials issued are good for that day only. The next morning, those credentials are unusable, and the individual must re-establish their association with, and right to access, enterprise resources.

Extensions to Kerberos also provide for the use of Public Key credentials for authentication, allowing Kerberos to integrate with Public Key systems. Integration may be at the individual level, where an individual uses a smart card or file-based Public Key credential as part of the initial authentication (e.g., in place of a password), or at the enterprise level, where Public Key may be used to establish a trust relationship between different enterprise KDCs. (Kerberos has always had this capability using conventional symmetric-key cryptography, but it is somewhat cumbersome.)

Unlike Public Key, an individual and the KDC may share an established secret, such as a password, and that password may be used for authentication. The protocol provides very robust and effective protection of password-based authentication. This makes Kerberos suitable for lower-cost applications within an enterprise, where Public Key client credential management costs are unacceptable. This also allows Kerberos to use existing legacy databases to, e.g., provide the initial secret. Kerberos also provides the ability to integrate any additional "pre-authentication" mechanisms, such as token cards and biometrics. These mechanisms may be used alone or in combination to achieve the required authentication strength.