2

I understand kerberos provides authentication using encryption. I see it exchanges session keys. Are those session keys used for applications send their data over that network encryption after authentication is performed?

For an example to clarify:

If I kerberize my telnet server and client will my client and server session then also be encrypted (presumably using the aforementioned session keys) (i.e a sniffer can't see the commands I type in the session)?

I see that HTTP based SPNEGO kerberos does not follow this and one would need to use SSL to secure the session.

jouell
  • 601
  • 1
  • 5
  • 20

1 Answers1

2

It depends entirely on how the service is implemented. I am reasonably sure that most versions of kerberized telnet do use the session keys to encrypt the traffic.

That would be the "standard" use of the kerberos API's for older programs. Pretty much everything that comes with a standard kerberos distribution uses kerberos in this fashion. The key API to look for is 

krb5_mk_priv

The other standard API is 

gss_wrap

however in that case you need to examine the call arguements to determine if privacy is enabled.

See

http://www.kerberos.org/software/appskerberos.pdf

for a relatively recent overview of how to use kerberos in an application.

SPNEGO is a special case in the kerberos world as it used only for authentication. As a general rule of thumb, any properly designed use of kerberos in an application protocol will include encryption of the session data, unless you specifically turn it off for some reason.

Unfortunately, not all uses of kerberos are properly designed. It's something you have to verify when examining any application that claims to support kerberos.

Fred the Magic Wonder Dog
  • 2,035
  • 10
  • 17