Kerberos was developed at MIT in the 1980s. It was named after the three-headed watchdog in classical Greek mythology that guards the gates to Hades.

The name is apt because Kerberos is a three-way process, depending on a third-party service called the Key Distribution Center (KDC) to verify one computer's identity to another and to set up encryption keys for a secure connection between them. (For simplicity's sake, let's call one computer client and the other target server.)

Basically, Kerberos works because each computer shares a secret with the KDC, which has two components: a Kerberos authentication server and a ticket-granting server. If a KDC doesn't know the requested target server, it refers the authentication transaction to another KDC that does.

By exchanging a series of encrypted messages, called tickets, with the client, the KDC generates new encryption keys for each stage of the authentication process. It can successfully verify one computer to the other without compromising either one's secret keys and without requiring either computer to store keys for every computer it might possibly connect to. The tickets are good only for a single specific computer connecting to another specific computer during a designated period of time. (See the diagram at right for more details about how the Kerberos ticketing process works.)

After the ticket is issued, the client can use it to gain access to the target server any number of times until the ticket expires. Neither the client nor anyone snooping around the network can read or modify a ticket without invalidating it.

How Standard a Standard?

The default protocol for network authentication in Microsoft Corp.'s Windows 2000 operating system is Kerberos Version 5. To allow public-key-based authentication (QuickStudy, March 16, 1998) rather than Kerberos' usual password-hash-based secret key, Microsoft chose to add its own extensions, which makes its implementation of Kerberos slightly nonstandard but still allows for authentication with other networks that use Kerberos 5.

Authentication in Windows 2000 is more efficient than in Windows NT because Kerberos eliminates the need in NT for a server to check with a domain controller.


Click to see chart in PDF Format

5 collaboration tools that enhance Microsoft Office
Shop Tech Products at Amazon