O'Reilly logo

Kerberos: The Definitive Guide by Jason Garman

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Smart Cards

Traditionally, Kerberos has relied solely on one of the three factors of authentication, namely, something you know. As discussed early on in Chapter 2, the security of authentication systems can be greatly enhanced by requiring more than one factor to grant authentication. Smart cards provide another factor (what you have), and some Kerberos implementations support the use of smart cards for initial authentication.

The use of smart cards solves one of the most problematic issues with Kerberos; namely its dependence on users to choose (and remember) good passwords. Traditionally, the user’s long-term key is a password, which is something the user must choose and memorize. The human brain is notoriously poor at producing and consequently remembering random sequences, so passwords are typically something easily remembered by the user. As a consequence, passwords have low entropy, and most fall to dictionary attacks. The use of pre-authentication in the initial Authentication Server exchange mitigates this risk somewhat, but a determined attacker who can sniff Kerberos protocol exchanges over the network can still obtain encrypted material on which to perform a dictionary attack.

In addition, smart cards limit the exposure of the sensitive cryptographic keys used throughout the Kerberos protocol. Secret keys stored on machine hard disks, such as keytab files, are vulnerable to attack. Even though filesystem protection is designed to prevent unauthorized users from reading ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required