The Value of Kerberos

Jeff Norris

Kerberos is a very effective network authentication system that has earned the faith of many MIT users. However, when these users begin to believe in a giant, three headed dog that protects everything they do on Athena, its possible that they will be very disappointed. The problem lies in the fact that Kerberos designers never intended to fully accomplish the daunting task of protecting sensitive files from unauthorized users. Kerberos falls short of this goal by not encrypting stored files or ordinary network traffic. Given these misunderstandings, it would actually be beneficial if the average user were completely unaware of Kerberos existence. Then, users wouldnt consider Athena a secure storage medium, but would still receive the increased security associated with a reliable authentication scheme.

In normal operation, Kerberos only affects a users session when he first connects to a system, or when he establishes a connection to some service from that system. In the absence of any other security schemes, all other network traffic is sent entirely as cleartext. This means that the users Email, Zephyrs, logins to non-Kerberos machines, etc., are all vulnerable to ordinary packet sniffing. Furthermore, when a user saves a file to disk, Kerberos doesnt step in and encrypt the file. Therefore, any second user who can subvert UNIXs permission settings, for instance, a user with superuser access, can use any of the original users files without his knowledge or permission. In general, it is foolish to expect cleartext data stored on a network-accessible file system to be secure. It should also be noted that Kerberos cant be expected to achieve its intended goal if the users password is compromised outside of Kerberos protection.

Even considering these shortcomings, Kerberos is a very valuable system. As long as a user can be careful with his password, a responsibility that he would have with or without Kerberos, he can be fairly certain that another user will be unable to gain access to his account. Ironically, Kerberos could actually increase security more if it was completely invisible to the average user. Then, users wouldnt expect Athena to be more secure than any other large computer system, and would vigilantly protect their sensitive data. In the absence of this ideal situation, MIT users sense of security could be tamed slightly by keeping the MIT community informed of the limits of Kerberos.

Misconceptions about the purpose of Kerberos have caused some MIT users to consider Athena a completely secure system. Unfortunately, no single scheme can be expected to handle all of the security needs of a large network. Still, Kerberos represents a very effective component of a secure system, and is valuable whether complete security is desired or not.