Talk:Kerberos
I just changed the definition to reflect what I think are the key points about this protocol. I'm not an expert in Kerberos, but it looks to me like it has no advantage over a public-key system, and a few serious disadvantages. I'm thinking of adding to the article something like the following paragraph, but I would like to get some feedback first.
- Kerberos has largely been replaced by public-key systems. Both have the objective of providing a secret session key to allow encrypted communications between two clients. Both need a central server, one to distribute public keys for each client, the other to hold secret keys for each client. The server with secret keys for all clients must be very secure, much more than is required for the server holding only the public keys of all clients.
See http://en.wikipedia.org/wiki/Kerberos_(protocol)#Drawbacks for more on the disadvantages of Kerberos.
"Authentication Protocols", section 8.3 in Peterson & Davie, Computer Networks, 4th ed. (Morgan Kaufmann, 2007).
"Authentication Protocols", section 8.7 in Tanenbaum, Computer Networks, 4th ed. (Prentice Hall, 2003).
"Authentication and Authorization Controls", R. Bragg, chapter 6 in Network Security: The Complete Reference (McGraw-Hill, 2004).
--David MacQuigg 17:12, 25 November 2009 (UTC)
- I think the suggested text above is wrong. For one thing, newer versions of Kerberos do use public key techniques, see for example RFC 4556. For another, it has not "largely been replaced"; it is still extremely widely deployed. As far as I know it is still the basic mechanism used in Windows network authentication.
- That said, you are raising valid points. Kerberos has limitations and there are alternatives; both need to be covered. Sandy Harris 10:07, 26 November 2009 (UTC)