The Kerberos Network

Kerberos divides the network into security domains, called realms. Each realm has its own authentication server, and implements its own security policy. This allows organizations implementing Kerberos to have different levels of security for different information classes within the organization. A realm can accept authentications from other realms or not accept them without a re-authentication if the information security policy requires re-authentication.

Realms are hierarchical. That is, each realm may have child realms, and each realm may have a parent. This structure allows realms that have no direct contact to share authentication information. If an organization has a corporate-wide user naming policy, for example, it is possible for a user authenticating in one Kerberos realm to connect to a computer in another realm without requiring re-authentication. This is true even if logically there is no direct connection between the two realms. Specifically, if an organization ABC.COM has installed

Kerberos, it may have created departmental realms PAYROLL and RESEARCH. If a user authenticates to the realm RESEARCH.ABC.COM and wants to use information from PAYROLL.ABC.COM, there is no need to re-authenticate. The user identity is passed between the realms by way of the parent realm BC.COM. Because both realms are part of the same organization, they can trust each other. On the other hand, if a user authenticates to DEF.COM and wants to use information from

RESEARCH.ABC.COM, Kerberos can require the user to re-authenticate to an authentication server within ABC.COM before sharing information. Because Kerberos provides secure authentication and encryption, this communication can take place securely over the Internet, a public, hostile network. If the two companies want to accept each other’s authentication, the two root Kerberos servers ABC.COM and DEF.COM need to share an encryption key.

Because the Kerberos naming convention supports Internet domain names, a Kerberos user at DEF.COM can authenticate as a user to ABC.COM even if the two Kerberoses cannot directly share authentications.

RFCs

An RFC is a request for comment. This is a mechanism used to distribute ideas for standards in the internetworking industry. The RFC describes the protocol or standard the issuer would like to see adopted. Earlier versions of Kerberos were not described in RFCs. RFC 1510, however, describes version 5 of Kerberos.

RFC 1510

This document gives an overview and specification of version 5 of the protocol for the Kerberos network authentication system. It is available from the following:

ftp://ftp.isi.edu/in-notes/rfc1510.txt

Much of the information in this chapter is based on RFC 1510, and some portions are directly extracted from the RFC.