What is the niche that Kerberos authentication fills called?

Question

Keberos authentication is a bit of a top down concept. I'm working my way up to it from the bottom learning from the bottom up. It seems to me that Keberos authentication can be thought of as a glue between systems, so that you can authenticate from a single server for all the services / systems within a domain and don't have to store all of your login information multiple times. This isn't an easy concept to come across when you're working your way up from some low level like say....programming...

So what is this "area" between systems where Kerberos lives called?

score 3 · Accepted Answer · answered Jul 07 '16 at 18:25

You might be thinking of a realm:

A Kerberos realm is a set of managed nodes that share the same Kerberos database. The Kerberos database resides on the Kerberos master computer system, which should be kept in a physically secure room. A read-only copy of the Kerberos database might also reside on other Kerberos computer systems.

(Source.)

On Windows, Kerberos usually works within domains:

A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database.

(Wikipedia source.)

Right. There are only two implementations of Kerberos that I'm aware of: MIT's and AD. — leeand00, Jul 07 '16 at 18:29

score 1 · Answer 2 · edited Apr 13 '17 at 12:48

I'm not sure what you mean by "area". Kerberos is an authentication protocol. It has nothing at all to do with storing login information. Kerberos' main purpose is to define a cryptographically secure mechanism for exchanging keys via an insecure communications channel. These keys are then used to authenticate two parties during the lifetime of a connection. This prevents impersonation which would allow e.g. man-in-the-middle replay attacks.

The problem being solved is similar to the problem solved by Diffie-Hellman key exchange. The main difference being that Diffie-Hellman relies on a third-party trusted server (e.g. root certificate authority), whereas Kerberos allows you to host your own trusted authentication server. See a more in-depth comparison of Diffie-Hellman vs. Needham-Schroeder on Crypto StackExchange. Kerberos is based on the Needham-Schroeder protocol.

Kerberos setup and exchange is explained in more depth in the Kerberos Wikipedia article.

You can also find a pretty good explanation of how Diffie-Hellman works (for comparison), in this Security StackExchange answer.

"The main difference being that Diffie-Hellman relies on a third-party trusted server (e.g. root certificate authority), whereas Kerberos allows you to host your own trusted authentication server." This is not technically true. You could in theory set up a private public key infrastructure for an organization. Kerberos is just far more popular, though. — Luis Casillas, Jul 07 '16 at 19:49
@LuisCasillas Of course, and I'm sure someone could host Kerberos as a third-party service if they wanted to. That's more of a general use-case statement than a hard limit; thanks for pointing that out. — Dan, Jul 07 '16 at 21:02

What is the niche that Kerberos authentication fills called?

2 Answers2