Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
 |
Title: KERBEROS FEEDBACK |
 |
Kerberos feedback
Kerberos Identity Management System
Verification of data – Instructions
Please indicate with a Yes/No in the respective field of the following table the correctness / completeness of the data held in our database. If you find that the data is not correct and/or complete, please proceed with making the appropriate corrections / additions by appropriately filling in the next field (“Correction / Completion”).
For a description / definition of each field, you can refer at Table B.
TABLE A – Verification of Data | ||||
Data held in database | Yes/No | Correction / Completion | ||
Evaluation of IMS | ||||
Evaluator: | M. Meints |
|
| |
Organisation: | ICCP |
|
| |
Date of evaluation: | 07-Jun-2005 |
|
| |
Identification of IMS | ||||
Sources of information: |
|
| ||
Version: | 5-1.4.1 |
|
| |
Manufacturer: | MIT Massachusetts Institute of Technology |
|
| |
Nature: | Private |
|
| |
Country: | USA |
|
| |
Regions: | Global |
|
| |
Language: |
|
|
| |
State: | Available |
|
| |
Open/Closed: | Open IMS: the identities work with several systems or applications. |
|
| |
Platform & Environment | ||||
Requirements: | Almost any modern hardware/software |
|
| |
Number of users: | Widely used, distributed with various Microsoft and Apple products |
|
| |
Standards: | Kerberos employs a standardized protocol of the same name. There are several partially interoperable implementations by MIT, Kungliga Tekniska Hoegskoln Stockholm, Microsoft, Apple and Transarc |
| The Transarc implementation only supports version 4 of the protocol and should be considered obsolete. I do not recommend including it in this document.
The Kerberos standard is defined by the IETF. The current controlling documents are RFC 4120 and RFC 4537
Suggest that you change “partially” to “mostly”. | |
Description of Server - Side components: | The main component is the Key Distribution Center (KDC) which authenticates the users and supplies them with so-called tickets. These in turn allow the use of other resources. The KDC shares secrets with every service and user in the installation. |
|
| |
Description of methods: | The only data kept about a user is her username and a hash of her password. The password can be changed by the user. |
|
| |
Descriptor of Client - | The client needs Kerberos-enabled clients for the services it wants to use with Kerberos. |
|
| |
Seals: | No |
|
| |
Which seal: |
|
|
| |
Third party: | yes |
|
| |
Which third party: |
|
|
| |
Features: | Kerberos authentication perimeters are called Realms. Inside a realm, the Kerberos setup consists of clients, application servers and the Ticket Granting Service (TGS). A user authenticates herself by password on her local machine (which must be known to the TGS and share a secret with it). After successful authentication the user can request tickets for services from the TGS. A ticket states that the user is authenticated and is allowed to use the service. Services on the application servers check if the user sent a valid ticket with her request, and allows access if valid. Tickets are valid only for pre-defined periods of time. Newer versions of Kerberos allow cross-realm authentication. In this setup, the TGSs of the several realms have pairwise shared secrets and forward requests to remote services. The forwarded tickets are authenticated with the shared secrets. |
| There are many other standards that extend the functionality of Kerberos. For example some implementations currently support PKINIT so that public keys can be used for initial authentication instead of a username / password.
Please see http://www.ietf.org/html.charters/krb-wg-charter.html
You make no mention that many organizations use Kerberos as a key component of their single sign-on (SSO) strategy. That is probably more useful than the features that you are pointing out.
There are also products that use Kerberos for web authentication. Using http-spnego. Examples include: IE, IIS, Apache, Firefox, Safari, … | |
Screenshot picture: |
|
| ||
Flowchart: |
|
| ||
Cost | ||||
Price: | 0 |
|
| |
Comment to the Cost: | Open Source |
|
| |
Type & Class of IMS | ||||
Type of IMS: | Type 1: IMS for account management. |
|
| |
Class of IMS: |
|
|
| |
Functionality: | Authentication and Single Sign-On |
|
| |
Suggestions: |
|
|
| |
| |
   |
|
| 12 / 15 |
