2.3 Privacy and Integrity

Next, well review some concepts that are integral to keeping communications on computer networks secure. In particular, we will discuss the roles of encryption and message-integrity algorithms. The distinction between encryption and message-integrity is important, as well see later in the discussion of Kerberos encryption types. Those familiar with encryption and message integrity can skip to the next section, which describes the Kerberos-specific terminology.

2.3.1 Encryption

The modern word cryptography is derived from two ancient Greek words, cryptos, which means hidden or secret, and graphein, or writing. Kerberos uses cryptography to provide encryption and decryption of its messages over the network. Therefore, encryption refers to the process of converting a message, or plaintext, into gibberish, which if intercepted, does not reveal the contents of the original message. Governments and corporations have long employed encryption to keep their information secure from prying eyes. The emergence of the Internet, where any network administrator can monitor and read traffic on her network and any traffic passing through her network, has forced software makers to build encryption into every day software programs. Kerberos uses encryption not only to protect the authentication exchanges it sends and receives from snoopers, but also to prevent hackers from creating fake messages. There are many different ways of encrypting data. These methods are referred to as encryption algorithms, or in Kerberos-speak, encryption types. There are several different encryption types that are supported in Kerberos 5 implementations. The most widely supported encryption type is DES, but work is underway to replace it with Triple DES and the new Advanced Encryption Standard AES. Another widely used encryption type is the RC4 algorithm, which is used primarily in Microsofts implementation of Kerberos. The advantage of moving to stronger encryption algorithms is protection against brute-force cryptanalysis. Well take a look in more detail about brute-force attacks against the encryption algorithms in Kerberos in Chapter 6 .

2.3.2 Message Integrity

While encryption provides privacy, message integrity ensures the recipient that the message was not tampered with during transit. While encryption as it is used in Kerberos gives you message integrity for free, since only the two end points have the required key to encrypt and decrypt messages, there are specialized message-integrity algorithms that can ensure message integrity without the overhead of encryption. You will see message-integrity algorithms referred to as one-way hashes, or just hashes. Hashes work as mathematical one-way functions. They take an input message that is arbitrarily long, run it through a mathematical algorithm, and output a fixed size typically 64-256 bits message that represents the input. The idea behind the hash function is that while it is easy to calculate the hash output for a given input, it is mathematically hard to go the opposite way and derive an input that produces the same output, hence their one-way nature. [ Team LiB ] [ Team LiB ]

2.4 Kerberos Terminology and Concepts