RE: LDAP and Kerberos?

["Melson, Paul" <PMelson () sequoianet com>]

> -----Original Message-----
> On Mon, 20 Sep 2004, Melson, Paul wrote:
> > I'm not sure you've given enough information about your back end 
> > architecture to say for sure,
>
> I'm not sure what else to say about the architecture.  I'll 
> be happy to answer any questions though.

Specifically, what else besides the web application will you be
authenticating?  How many users?  If the primary goal of this directory
is to provide authentication for this web app. plus maybe admin
services, then Kerberos is a waste of time since it's not compatible
with the web app.


> How does Kerberos do it mutually?  And even if it does do it 
> mutually if 
> the server is compromised what does that authentication 
> really do for you? 
> Or is for some other reason?

It's my understanding that in mutual authentication scenarios the
Kerberos client first authenticates to the server, then receives the
service ticket,  then finally challenges the server's identity to verify
the first transaction.  Kerberos can use RC4 or 3DES encryption
(possibly others?), and authentication is based on a time stamp and key
set.  This is similar to how most IPSec-VPN IKE implementations work.

The advantage of mutual authentication is that it prevents playback
spoofing and man-in-the-middle attacks.  It's designed to make it
difficult for a third system to get access to services by eavesdropping
or otherwise intercepting or interfering with the authentication
process.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards