Monday, 14 January 2013

Versions of Kerberos Version 5

Version 5 of Kerberos is the most recent version. Changes in the protocol have solved a
number of security problems from version 4.
 
MIT Kerberos Version 5
MIT Kerberos version 5 is freely available and is available from the same site as version 4 MIT
via anonymous FTP from athena-dist.mit.edu (18.71.0.38).

OSF DCE Security
The Open Systems Foundation (OSF) has defined a Distributed Computing Environment
(DCE) with security based on Kerberos version 5, and using the same wire protocol. However,
applications from two systems use the protocol in different ways, so the actual interoperability
between Kerberos and DCE is limited. Because DCE is defined as an open standard, it is up to
manufacturers to provide products that fit into that standard. More and more manufacturers
are providing DCE-compliant products, and it is now possible to assemble a complete DCEcompliant
security environment by selecting DCE-compliant vendors.

Bones
Kerberos is a network security system that relies on cryptographic methods for its security.
Because Kerberos’ encryption system, DES, cannot be exported, Kerberos itself cannot be exported or used outside the United States and Canada in its original form. Bones is a system
that provides the Kerberos API without using encryption and without providing any form of
security—it’s a fake that enables the use of software that expects Kerberos to be present when it
cannot be.
Note: Bones possesses the property of there being absolutely no question about its legality
concerning transportation of its source code across national boundaries. It neither
has any encryption routines nor any calls to encryption routines.
You can obtain a working copy of Bones through anonymous FTP from ftp.funet.fi
(128.214.6.100) in pub/unix/security/kerberos. A DES library is available at the same location.

SESAME
SESAME is an initiative of the European community to produce a compatible product to
Kerberos version 5. SESAME-compatible systems are accessible through Kerberos and vice
versa. SESAME makes use of DES software developed outside North America, and is not
subject to export restrictions. Information on SESAME is available from http://
www.esat.kuleuven.ac.be/cosic/sesame3.html.
Posted by at No comments:

Versions of Kerberos

Several different versions and distributions of Kerberos are available. Most of them are based
on MIT distributions in one form or another, but the lineage isn’t always simple to trace. The
newest version of MIT Kerberos is version 5. Versions 4 and 5 are based on completely
different protocols. The MIT Kerberos version 5 distribution contains some compatibility
code to support conversion from version 4: 
  • The Kerberos version 5 server can optionally service version 4 requests.
  • A program enables users to convert a version 4 format Kerberos database to a version 5
    format database.
  • An administration server that accepts version 4 protocol and operates on a version 5 database.
Some distributions are freely available, some are stand-alone commercial products, and others
are part of a larger free or commercial system.
Versions of Kerberos Version 4
There are several VERSION 4 distributions available. Because version 4 is not totally compatible
with version 5, organizations starting new Kerberos installations should consider starting
at version 5.
MIT Kerberos Version 4 Availability
MIT version 4 is freely available in the U.S. and Canada through anonymous FTP from
athena-dist.mit.edu (18.71.0.38). For specific instructions, change to the pub/Kerberos directory and download the file README.KRB4 (for version 4) or README.KRB5 (for
version 5), both of which are text files that explain the export restrictions and contain detailed
instructions on how to download the source code via anonymous FTP. Locations outside
North America may use the Bones version.
Transarc Kerberos
A second distribution of Kerberos version 4 is available as a commercial product from
Transarc. Years ago, the designers of AFS decided to implement their own security system
based on the Kerberos specification rather than using MIT Kerberos version 4, which then was
not publicly available. Consequently, Transarc’s AFS Kerberos speaks a slightly different
protocol but also understands the MIT Kerberos version 4 protocol. They can, in principal,
talk to each other. Enough annoying incompatible details, however, make it impractical.
DEC Ultrix Kerberos
A third distribution of Kerberos version 4 is available from Digital Equipment Corporation.
Aside from a few changes, DEC’s commercial version essentially matches MIT Kerberos
version 4.
Posted by at No comments:
Subscribe to: Posts (Atom)