Kerberos Design
Thomas Themel
themel at iwoars.net
Wed Sep 1 14:59:28 EDT 2004
Hi,
I'm currently looking into implementing a single sign-on solution for
distributed services.
The requirement profile seems to somewhat fit Kerberos, but I'm
not entirely convinced that I can use it in my scenario - which can't
simply run an off-the-shelf KDC and use UDP for communication with it.
However, years of reading various crypto resources have strongly
conditioned me against simple-minded attempts to "roll my own" as a
crypto dilletante.
I've been trying to study Kerberos' design history in the recent past
and have failed to come up with a good resource that explains why things
are built the way they are.
Since I'm already using OpenSSL for various SSL/x.509 related things,
I'm most astonished by the almost total absence of public key
cryptography in Kerberos, and I haven't been able to find out why this
design choice was made - performance reasons, given that at its
inception public key operation cost was probably much more prohibitive?
So, I'd like to ask the audience:
- Is there a good web/book/whatever resource regarding the design
of Kerberos? Amazon offers the O'Reilly book, which, from the
abstract, seems to take the cryptographic design of Kerberos as
a given and concentrates on its usage, and another one that also
doesn't seem to give much detail on the issue. Something in the
direction of EKR's SSL/TLS book would be very much appreciated.
- Is Kerberos a sane choice to adapt for such solutions today?
Is there anything more recent that I should be aware of?
thanks,
--
[*Thomas Themel*]
[extended contact] But let your communication be, Yea, yea; Nay, nay:
[info provided in] for whatsoever is more than these cometh of evil.
[*message header*] - Matthew 5:37
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20040901/143cce35/attachment.pgp>
More information about the cryptography
mailing list