Talk:Kerberos (protocol)

From Wikipedia, the free encyclopedia

This article is part of WikiProject Cryptography, an attempt to build a comprehensive and detailed guide to cryptography in the Wikipedia. If you would like to participate, you can choose to edit the article attached to this page, or visit the project page, where you can join the project and see a list of open tasks.

It is intended that this article be included in WikiReader Cryptography, a WikiReader on the topic of cryptography. Help and comments for improving this article would be especially welcome. A tool for coordinating the editing and review of these articles is the daily article box.

	To-do list for Kerberos (protocol):	edit  · history  · watch  · refresh
None listed.

Contents 1 Kerberos 4 vs. Kerberos 5 2 Kerberized NFS 3 "US DoJ finding" on Microsoft breaking Kerberos 4 "Protocol" and "operation" mismatch 5 Move to Kerberos (protocol)? 6 Missing info. 7 Found this paragraphs really funny 8 Reply attack to described protocol?

[edit] Kerberos 4 vs. Kerberos 5

According to The Moron's Guide to Kerberos, in Kerberos 5 the final step of authenticating the service to the client does not increment the timestamp. It says:

It used to be the case (in version 4 of Kerberos) that the service would instead add 1 to the timestamp value, and return it, encrypted in the session key. That has been changed in version 5 of Kerberos.

I do not know Kerberos well enough to know whether Wikipedia is right or the Guide (I presume this page wants to be right for Kerberos 5, but I do not think that is stated anywhere).

[edit] Kerberized NFS

The article claims that NFSv4 supports kerberos (true), but Solaris has supported kerberized NFS even with the earlier versions of the protocol.

---

Frodo Looijaard (20051103)

[edit] "US DoJ finding" on Microsoft breaking Kerberos

The external link in the article to US DOJ finding that Microsoft purposefully breaks Kerberos interoperability seems to be a submission to the court by Novell, not a finding by the US DoJ. If the DoJ did conclude the same thing as Novell's submission, the external link should point to an article that directly says so, otherwise the link should probably be removed (or at least more appropriately titled). OTOH I might have misinterpreted the contents of the document. I didn't read all of it. —midg3t 04:51, 16 June 2006 (UTC)

[edit] "Protocol" and "operation" mismatch

Currently, the article looks inconsistent because the protocol messages (in "The protocol") don't match up with the operation (given in "Kerberos operation"). Things diverge in step 4 of the operation, where two messages are sent back. Only one message is sent in the protocol. Perhaps someone could fix this? 82.36.100.133 12 Aug 2006

[edit] Move to Kerberos (protocol)?

I think that the article should be moved to Kerberos (protocol) because it would be more consistent with Wikipedia naming conventions. Note that the topic is identified as only "Kerberos" both generally and in the title restatement. Thoughts? ENeville 17:02, 20 October 2006 (UTC)

Agreed. -- intgr 22:55, 17 January 2007 (UTC)

[edit] Missing info.

I recommend that in the article there should be a paragraph on comparison of Kerberos and RADIUS protocols. —The preceding unsigned comment was added by 195.70.32.136 (talk) 13:07, 2 January 2007 (UTC).

[edit] Found this paragraphs really funny

There is a version of Kerberos called Bones, which is exactly like Kerberos, except that Bones doesn't encrypt any of the messages. So what is it good for? The U.S. restricts export of cryptography; if it's sufficiently advanced, it qualifies as munitions, in fact. At one time, it was extraordinarily difficult to get crypto software out of the U.S. On the other hand, there is a wide variety of legitimate software that is exported (or created outside the U.S. altogether), and expects Kerberos to be there. Such software can be shipped with Bones instead of Kerberos, tricking them into thinking that Kerberos is there.

Doug Rickard wrote to explain how Bones got its name. In 1988, he was working at MIT, with the Project Athena group. He was trying to get permission from the State Department to export Kerberos to Bond University in Australia. The State Department wouldn't allow it--not with DES included. To get it out of the country, they had to not only remove all calls to DES routines, but all comments and textual references to them as well, so that (superficially, at least) it was non-trivial to determine where the calls were originally placed.

To strip out all the DES calls and garbage, John Kohl wrote a program called piranha. At one of their progress meetings, Doug jokingly said, "And we are left with nothing but the Bones." For lack of a better term, he then used the word "Bones" and "boned" in the meeting minutes to distinguish between the DES and non-DES versions of Kerberos. "It somehow stuck," he says, "and I have been ashamed of it ever since."

Back at Bond University, Errol Young then put encryption back into Bones, thus creating Encrypted Bones, or E-Bones.

Its from Moron's guide to Kerberos —The preceding unsigned comment was added by Wk muriithi (talk • contribs) 06:45, 13 January 2007 (UTC).

[edit] Reply attack to described protocol?

I'm new to Kerberos, but the described protocol seems vulnerable to a reply-attack: if an intruder I records message 3 and resend it soon, B detects it as host A. The problem is that A don't authenticates to B. This should be done with something as:

4:

5: —The preceding unsigned comment was added by 213.140.6.116 (talk) 00:28, 8 April 2007 (UTC).