What is Kerberos?

A. Kerberos is new to Windows 2000 and is

"The hound of Hell. A three headed Dog with a Snake for a tail; guarded the entrance to the kingdom of Hades, the Underworld."

(and you wondered why the box was so big :-) ).

It replaces the Microsoft NTLM native communication for Windows 2000 computers but NTLM is still supported for compatibility with older NT 4, Windows 9x clients (as a side not NTLM version 2 is not supported in Windows 2000).

The idea is if two people know a secret they can communicate by encrypting a message with the secret and if they both know the secret they know the other person is who they say they are. The problem is the secret can’t be sent as just text over the network as anyone with a network sniffer could find the “secret”.

The Kerberos protocol solves this problem with secret key cryptography. Rather than sharing a password, communication partners share a cryptographic key which is symmetric in nature which means the single key can both encrypt and decrypt.

To communicate one side send the other an encrypted message containing their name and local time, the other machine then decrypts the packet with the symmetric key and if the time is close to its time then the match is OK.

The diagram shows this where KJB is the symmetric key shared by John and Bob.

The fact that time is part of the encryption technology is why Windows 2000 machines need to be time synchronized with a SNTP service.

But how is the shared key distributed if it can't be sent over the network? See the next FAQ.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.