Skip to content

Page248

LDAP

Lightweight Directory Access Protocol (LDAP) provides a common open protocol for interfacing and querying directory service information provided by network operating systems. LDAP is widely used for the overwhelming majority of internal identity services including, most notably, Active Directory. Directory services play a key role in many applications by exposing key users, computers, services, and other objects to be queried via LDAP.

LDAP is an application layer protocol that uses port 389 via TCP or UDP. LDAP queries can be transmitted in cleartext and, depending upon configuration, can allow for some or all data to be queried anonymously. Naturally, LDAP does support authenticated connections and also secure communication channels leveraging TLS.

Kerberos

Kerberos is a third-party authentication service that may be used to support Single Sign-On. Kerberos (https://www.kerberos.org/) was the name of the three-headed dog that guarded the entrance to Hades (also called Cerberus) in Greek mythology. The three heads of the mythical Kerberos were meant to signify the three “A’s” of AAA systems: authentication, authorization, and accountability. In reality, the original Kerberos mainly provided authentication. Some now say that the three heads of Kerberos represent the client, the Key Distribution Center (KDC), and the server.

Exam Warning
Kerberos was developed under Project Athena at the Massachusetts Institute of Technology (MIT). Kerberos is extremely testable; it is best to learn how Kerberos works.

The Kerberos FAQ (see http://www.faqs.org/faqs/kerberos-faq/user/) states: “Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES (Data Encryption Standard)” [11].

Kerberos Characteristics

Kerberos uses symmetric encryption and provides mutual authentication of both clients and servers. It protects against network sniffing and replay attacks. The current version of Kerberos is version 5, described by RFC 4120 [12].

Kerberos has the following components:

  • Principal: Client (user) or service
  • Realm: A logical Kerberos network
  • Ticket: Data that authenticates a principal’s identity
  • Credentials: a ticket and a service key
  • KDC: Key Distribution Center, which authenticates principals
  • TGS: Ticket Granting Service
  • TGT: Ticket Granting Ticket
  • C/S: Client/Server, regarding communications between the two