// Allows an iframe running on another domain to access query strings on this page

News & Information

CyberSafe TrustBroker™ products, for SAP business applications

CyberSafe TrustBroker Support Services

Kerberos

What is Kerberos?

Kerberos is a network authentication protocol, and designed to provide strong authentication and improved security for users and client/server applications. It is also ideal for securing multi-tier application architectures, especially when components of the application reside on different operating systems.

Kerberos - past, present and future

The past

The protocol is appropriately named after the three-headed dog (Cerberus) that, in Greek mythology, guarded the entrance to Hades (the Underworld). Kerberos was originally designed by scientists from MIT and the first reference implementation was developed during the MIT Athena project in 1988.

Present

Since 1988 it has evolved in to a widely used and strategic IETF security standard (RFC 4120) and is now complemented by many other IETF standards and internet drafts, such as GSS-API, PKINIT, FAST, and many more... The protocol and it's related standards and drafts are still evolving. The IETF Kerberos working group charter shows the current changes and improvements being progressed by the working group.

A summary of the standards implemented in, or used by TrustBroker products, can be found here...

The future

The most exciting new developments related to Kerberos, which will undoubtedly change the way that Kerberos is used in the future, are summarised below:

  1. Project Moonshot
  2. This project is a JANET(UK)-led initiative, in partnership with the GEANT project and others, to develop a single unifying technology for extending the benefits of federated identity to a broad range of non-Web services, including Cloud infrastructures, High Performance Computing & Grid infrastructures and other commonly deployed services including mail, file store, remote access and instant messaging.

    The goal of the technology is to enable the management of access to a broad range of services and applications, using a single technology and infrastructure. This is expected to significantly improve the delivery of these services by providing users with a common single sign-on, for both internal and external services. Service providers will be able to more easily offer their services to users from other organisations using a single common authentication mechanism. This will enhance the user’s experience, and reduce costs for those organisations supporting users, and delivering services to them. 

    The protocol used for authentication and encryption key management, in moonshot is Kerberos.

  3. SAML+SASL+Kerberos
  4. There are various projects underway, to allow SAML, SASL and Kerberos to be used with each other, to link the authentication technology used on the Internet with the authentication technology used on an intranet, namely Kerberos.

CyberSafe are committed to embracing standard protocols, and are excited about the future use cases of the Kerberos protocol, such as those described above. We have started researching some of these technologies, so we can plan our future TrustBroker product developments.

The history of our company, showing how our own commercial implementation of Kerberos, included in the TrustBroker products has progressed, is summarised here.

Who uses it?

It is impossible to list all of the vendors and companies using Kerberos, so we have included a few examples below, which are relavent to the CyberSafe products. Actually, it has been estimated by the MIT Kerberos Consortium in their FAQ (see question titled "So, how many people are using Kerberos?") that Kerberos is being used by well over 100 million people, worldwide.

The following vendors implement Kerberos in some of their products:

  1. Microsoft
  2. Perhaps the most widely know products which use Kerberos, are Microsoft Windows and Microsoft Active Directory. In a Microsoft network/domain, users authenticate using the Kerberos protocol when they logon to their Windows workstation. The credentials issued during this logon can easily be re-used to authenticate the user to various Kerberos-enabled applications, thereby giving them a secure single sign-on experience. They only have to authenticate once when they logon to their workstation. The CyberSafe TrustBroker products are designed to allow applications to use the Kerberos protocol, and to benefit from an existing Active Directory infrastructure, implementing secure single sign-on, reduced sign-on or common authentication.

    The Microsoft XBOX also uses the Kerberos protocol to authenticate users to the Microsoft XBOX Live services on the Internet.

  3. SAP
  4. Some of the licensed software from SAP includes an implementation of Kerberos (based on an old MIT open source release). They have modified certain aspects of the protocol to control how it is used by their customers for licensing reasons. When using TrustBroker products with SAP applications, there are no interoperability limitations or propriatory changes made to the protocol, and the TrustBroker products can be used to implement a wider range of security solutions, with SAP business applications. Many customers are chosing the CyberSafe TrustBroker products for use with their SAP business applications, instead of using the Kerberos functionality included with software from SAP.

More information

How does it work?

On the MIT Kerberos Consortium Website, a tutorial is provided which explains how the protocol works. There are many other sites on the Internet where the protocol is explained, some with less details than others. If you don't find this tutorial useful, we suggest you search the Internet using your favourite search engine.

With X.509 certificates

The Kerberos protocol uses secret-key cryptography, however it can also be used with Public Key Infrastructure (PKI) technology (asymmetric-key cryptography) by utilising the PKINIT standard. This standard allows the Kerberos protocol to support authentication with x.509 certificates, instead of using a principal name and password. A common use for PKINIT is when two-factor authentication is required, or when users have a certificate on a smart card which they use for other purposes and find it convenient to use the same certificate to authenticate when accessing Kerberos enabled applications or systems.

The CyberSafe TrustBroker™ products support PKINIT.

Watch a smart card logon demonstration

What is it used for?

Just a few examples of what Kerberos can be used for:

  1. It provides strong authentication services to users, applications and network devices, without the threats caused by passwords being stored or transmitted across the network.
  2. When used for authenticating users to applications, the protocol can provide data integrity to ensure application data in transit is not tampered with, and message privacy (encryption) to ensure application data in transit is not visible to eavesdroppers on the network.
  3. Kerberos can not only be used for client/server applications, or multi-tier applications, but can also be used for Web-based application authentication, since most browsers include support for the HTTP Negotiate protocol that is based on SPNEGO, GSS-API and Kerberos standards.
  4. The CyberSafe implementation of Kerberos, included in the TrustBroker products, is designed specifically for use with critical business applications, and includes many features which users of these applications expect and require.

Description

You can find a comprehensive description of Kerberos on Wikipedia.

FAQ

The Kerberos FAQ (although largely out of date and needing a major update) document answers many of the recurring questions related to the Kerberos protocol. It is written to describe the MIT implementation, and does not consider the differences and unique features found in commercial implementations of the protocol, such as those found in Microsoft products, and in the CyberSafe TrustBroker products.

Commercial or Open Source?

A document written in 2007 by the University of Portsmouth School of Engineering, compares open source and commercial implementations of Kerberos. It concludes by saying:

"Software producers or vendors are not called professionals for nothing so when choosing between a system that allows you to modify it and one that does not as discussed, you should take this on board because unless you know what you are doing its best to get the professionals in."

This document since it makes some valid observations and recommendations. It was written by the University without any involvment from CyberSafe.

At CyberSafe, we have found through our two decades of experience, that companies initially think that open source Kerberos is free, but they quickly learn that there are hidden costs and risks involved.

Leave us a message, or ask a question   CyberSafe on Twitter  CyberSafe on LinkedIn  CyberSafe on YouTube