1.2 What Is Kerberos?
The full definition of what Kerberos
provides is a secure, single-sign-on, trusted, third-party mutual
authentication service. What does that mean? Let's
break that definition down into its parts and quickly describe each
one.
- Secure
-
Kerberos is secure since it never transmits
passwords over the network in the clear. Kerberos is unique in its
use of
tickets,
time-limited cryptographic messages that prove a
user's identity to a given server without sending
passwords over the network or caching passwords on the local
user's hard disk.
- Single-sign-on
-
Single-sign-on
means that end users only need to log in
once to access all network resources that support Kerberos. Once a
user has authenticated to Kerberos at the start of her login session,
her credentials are transparently passed to every other resource she
accesses during the day.
- Trusted third-party
-
Trusted third-party refers to the fact that Kerberos
works through a centralized authentication server that all systems in
the network inherently trust. All authentication requests are routed
through the centralized Kerberos server.
- Mutual authentication
-
Mutual
authentication ensures that not only is the
person behind the keyboard who he claims to be, but also proves that
the server he is communicating with is who it claims to be. Mutual
authentication protects the confidentiality of sensitive information
by ensuring that the service the user is communicating with is
genuine.
These three concepts describe the basis of the Kerberos network
authentication service. We'll take a closer look at
these concepts and the surrounding terminology in the following
chapter.
|
