PennNet-21 Strategy Document
Shumon Huque, University of Pennsylvania
Last revised: March 1st 2004
Kerberos is a standards-based central authentication system that employs symmetric key cryptrography. The authentication function is mediated by a set of trusted servers on the network called Key Distribution Centers (KDCs). The system provides mutual authentication, in which both parties in the communication (clients and servers) are authenticated to each other. It also provides facilities for session encryption and integrity protection. Kerberos prevents the transmission of user passwords over the network (in the clear or even encrypted). Passwords are only used to encrypt and decrypt time-limited cryptographic credentials which are subsequently used in the authentication function. A special service called the "ticket granting service" provides a much desired Single Sign-on capability.
The core Kerberos infrastructure consists of multiple (currently three) redundant Key Distribution Centers (KDCs) that provide the Kerberos authentication, ticket-granting and administration services. Each KDC is located in a distinct building on a distinct network (IP subnet) with redundant connectivity to the campus routing core via distinct routing equipment. The Kerberos protocol supports multiple servers and transparently fails over to alternate servers. This design provides a high availability central authentication service that is resistant to a wide variety of server and network failures, and even environmental disasters. All KDC server platforms are maximally secured against intrusion, even at the cost of making routine systems administration more difficult (eg. by limiting physical access to the server hardware and disallowing all unnecessary network services, including remote logins.) Sensitive KDC data does not appear on backup tapes in an unencrypted form, and any encryption keys required for backups are stored in physically secure facilities for disaster recovery purposes.
Additional software infrastructure provides convenient and secure facilities for online user account management and server principal and key management. A test Kerberos infrastructure provides facilities for Kerberos administrators to test new KDC software functionality. A RADIUS authentication service is also available to allow Kerberos password verification for applications that don't currently support native Kerberos authentication. In this scheme the application transmits the users Kerberos password in a cryptographically secure manner to a RADIUS service which subsequently authenticates the user to the Kerberos service. It is meant as a transitional mechanism only until the application can support the Kerberos protocol directly.