2.3 Privacy and Integrity
Next, well review some concepts that are integral to keeping communications on computer networks secure. In particular, we will discuss the roles of encryption and message-integrity algorithms. The
distinction between encryption and message-integrity is important, as well see later in the discussion of Kerberos encryption types. Those familiar with encryption and message integrity can skip to the next
section, which describes the Kerberos-specific terminology.
2.3.1 Encryption
The modern word cryptography is derived from two ancient Greek words, cryptos, which means hidden or secret, and graphein, or writing. Kerberos uses cryptography to provide encryption and decryption of
its messages over the network. Therefore, encryption refers to the process of converting a message, or plaintext, into gibberish, which if intercepted, does not reveal the contents of the original message.
Governments and corporations have long employed encryption to keep their information secure from prying eyes. The emergence of the Internet, where any network administrator can monitor and read
traffic on her network and any traffic passing through her network, has forced software makers to build encryption into every day software programs. Kerberos uses encryption not only to protect the
authentication exchanges it sends and receives from snoopers, but also to prevent hackers from creating fake messages.
There are many different ways of encrypting data. These methods are referred to as encryption algorithms, or in Kerberos-speak, encryption types. There are several different encryption types that are
supported in Kerberos 5 implementations. The most widely supported encryption type is DES, but work is underway to replace it with Triple DES and the new Advanced Encryption Standard AES. Another
widely used encryption type is the RC4 algorithm, which is used primarily in Microsofts implementation of Kerberos.
The advantage of moving to stronger encryption algorithms is protection against brute-force cryptanalysis. Well take a look in more detail about brute-force attacks against the encryption
algorithms in Kerberos in Chapter 6
.
2.3.2 Message Integrity
While encryption provides privacy, message integrity ensures the recipient that the message was not tampered with during transit. While encryption as it is used in Kerberos gives you message integrity for
free, since only the two end points have the required key to encrypt and decrypt messages, there are specialized message-integrity algorithms that can ensure message integrity without the overhead of
encryption. You will see message-integrity algorithms referred to as one-way hashes, or just hashes.
Hashes work as mathematical one-way functions. They take an input message that is arbitrarily long, run it through a mathematical algorithm, and output a fixed size typically 64-256 bits message that
represents the input. The idea behind the hash function is that while it is easy to calculate the hash output for a given input, it is mathematically hard to go the opposite way and derive an input that produces the
same output, hence their one-way nature.
[ Team LiB ]
[ Team LiB ]
2.4 Kerberos Terminology and Concepts