Kerberos
Kerberos is a protocol to securely authenticate, encrypt, and do single-sign-on over an insecure network.
It is widely used to provide authentication in addition to LDAP which provides a user information directory in organizations.
It is not widely used on the Internet because Kerberos requires a strict time sync between the server (KDC) and client. Other similar SSO protocols are preferred on the world-wide-web, for example, OAuth.
Kerberos mutually authenticates the application server (AS, e.g. a HTTP server) and the user, within a realm, through a ticket-based system, ensuring that the user's raw credentials are never sent across the network.
Kerberos is extremely complicated, and this is probably another reason why it is not widely adopted except for enterprise senarios. To mutually authenticate a user, Kerberos exchanges lots of messages between the client, the key distribution server (KDC), and the application server (AS). For the complete authentication process, watch youtube.com/watch?v=5N242XcKAsM. It is a very good video at explaining Kerberos.
The protocol must explicit support Kerberos authentication (a.k.a. "Kerberize"). Fortunately, many common protocols today do support Kerberos: LDAP, SSH, IMAP, HTTP, etc. However, Kerberized IMAP are so rare that there are only few clients supporting them. This differs from TLS which is transparent to the L5 protocol.
As an open protocol, multiple implementations exist. Active Directory is the most widely used implementation today, arguably the only one. The MIT Krb5 is an open-source reference implementation of Kerberos, and it is very lightweight.
Created: November 5, 2023