Difference Between Kerberos and SSL in Tabular Form
- Kerberos and SSL are both protocols, Kerberos is an authentication protocol, but SSL is an encryption protocol.
- Kerberos uses UDP, SSL uses (most of the time) TCP. SSL authentication is usually done by checking the server’s and the client’s RSA or ECDSA keys embedded in something called X.509 certificates.
- You’re authenticated by your certificate and the corresponding key. With Kerberos, you can be authenticated by your password or some other way. Windows uses Kerberos for example when used in a domain.
|Uses private key encryption.||Uses public-key encryption.|
|Based on the trusted third party.||Based on the certificate.|
|Ideal for network environment.||Ideal for the WWW.|
|Key revocation can be accomplished by disabling a user at the authentication server||Key revocation requires a revocation server to keep track of bad certificates.|
|Password resides in user’s minds where they are usually not subject to secret Attacks.||Certificates sit on a user’s hard drive share they are subject to being cracked.|
|Kerberos open source and freely available.||Uses patented material, so the service is not free.|
What is Kerberos?
- Kerberos is a protocol for authentication between nodes in a computer network over nonsecure lines. It allows nodes to prove their identity to one another in a secure manner. It is aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other’s identity. It is important to understand that Kerberos may be used to authenticate a client to several different servers at the same time. The Kerberos protocol messages are protected against eavesdropping and replay attacks.
- Kerberos authentication is widely used in Microsoft products like Windows 2000 and later Windows NT-based operating systems. Cross-platform Active Directory integration vendors have extended the Integrated Windows Authentication paradigm to UNIX, Linux, and Mac systems.
- The protocol was designed at the Massachusetts Institute of Technology (MIT) and was implemented in a software product of the same name, Kerberos. Some confusion stems from the fact that there are several programs with similar names. Typical questions include “Why does Kerberos use SSL?” and “Is SSL a part of the Kerberos protocol?”
- SSL is not part of the Kerberos protocol, but a software that uses Kerberos for client and server authentication may use SSL as well.
- For example, SecureBlackbox uses Kerberos for client authentication through GSS-API (Generic Security Services Application Program Interface), which is the standard mechanism to access security services for the C (RFC 2744) and Java (JSR-072) languages.
What is SSL/TLS?
- SSL, which stands for Secure Socket Layer, is a cryptographic protocol that provides secure communication over a non-secure network. SSL is an obsolete protocol; its modern version is called TLS (Transport Layer Security). TLS and SSL encrypt the segments of network connections, using symmetric cryptography for privacy and a keyed message authentication code for message reliability.
- TLS provides security in the sense that it proves the integrity of the data transferred, provides nonrepudiation and certifies the source of this data. As a rule, but not necessarily, it encrypts the data.
- This protocol is implemented in various applications (web browsing, email, instant messaging, voice-over-IP, etc.) and other protocols (such as FTP).
- SecureBlackbox offers SSL/TLS as an independent transport layer and as a part of transport protocols like FTP, SSH, and SFTP. The last two support authentication with the help of GSS-API, which means they can use Kerberos.
- TLS is an IETF standard track protocol, last updated in RFC 5246, and is based on the earlier SSL specifications developed by the Netscape Corporation.