Authentication: Kerberos or SSL?

Question

I'm in the "pre-design" phase (if there is such a thing!) for a Java EE app that will use a Swing box on the client end and implement components for both web and server tiers.

I'm instantly presented with some technology choices and have been reading up on the differences between how Kerberos and SSL work. One area that I have not been able to find any answers to has been the subject of how to choose between Kerberos or SSL. In other words, how do you tell when it is appropriate to use either protocol?

Let's assume that the Swing client isn't bound by a particular transport (UDP, TCP or otherwise) and could use either/any. How does one choose between which of these two is a better match for their application?

Thanks!

Possible duplicate of http://stackoverflow.com/questions/111386/difference-between-ssl-and-kerberos-authentication — Eugene Mayevski 'Callback, Feb 02 '11 at 18:21
Not asking for the difference between them (i.e. how they work); interested in what the best practices dictate for deciding when to use both of them. — Pam, Feb 02 '11 at 20:17
"Best practices" are subjective. Learn the differences and decide yourself. — Eugene Mayevski 'Callback, Feb 04 '11 at 09:57

score 5 · Answer 1 · answered Jul 29 '11 at 01:25

and suddenly (several months later) a wild Sys Admin appears...

I'm going to have to be a voice of dissent on this. The notion that you would ever establish a PKI without a CA is incredibly absurd. You have to maintain the integrity and performance of the PKI by streamlining the creation process. You have to create and store the certs somewhere, where is that going to be? Boom, you have a CA. Any decent PKI is also going to require a CRL be maintained, is the administrator supposed to just write that by hand? You can also forget about having different types of 509's as the overhead of maintaining that by hand would blow-your-mind-wide-open-and-turn-it-into-grey-slurry.

I suppose you could just manually create the tickets with openssl's CLI and just ftp them to the remote clients, but that gets to be a HUGE hassle for deployments of appreciable size. Essentially, if your deployment is so small that generating the certs by hand (repetitive entering of information and all) and then just not worrying about a CRL is a reasonable plan, you don't need an advanced authentication system at all. Something along the lines of TLS+LDAP (one server cert for confidentiality and not authentication) is more appropriate.

Ok, now that I've cleared some misconceptions, let's actually answer your question: When would you want to use SSL over Kerberos for authentication? x509-based authentication is an incredibly nebulous beast, mostly on account that most people (like Michael-O above) don't realize that SSL work specifically because it's authenticating users. There are a few FTP programs that I know of that authenticate that way, middleware employs it...sometimes (which sounds close to your use case from the java talk), and vpn clients/gateways often authenticate with SSL certs.

Usage of SSL would imply the PKI I spoke of up there, which would work great if your use case involves confidentiality. DoD is a good example of an enterprise that makes extensive use of PKI for functions outside of authentication. In that context, supposing all relevant client programs support x509 authentication makes a lot of sense. It's still an exotic set up, and you would still have to figure out how the end-users will "present" their SSL credentials to the system (client configuration, smart cards, etc) but it would fit together nicely. Besides the odd fit, kerberos authenticates by way of a temporary ticket, whereas SSL certs typically last a long time (which is why a CRL is required) meaning that if the never-changing key is factored on one cert the attacker will have several months of free rides before they have to find a new cert, versus kerberos where they only have it for a day and that's only if the ticket isn't destroyed.

All other cases should use Kerberos authentication when possible. It provides the right layer of security and is actually designed as a large network authentication system, which is why you have things that are hard to duplicate with SSL (like authenticating as a service instead of a regular user) and just plain work for their intended purpose. Your use cases are always going to need to take into account existing infrastructure which is probably going to be kerberos-oriented, sometimes LDAPS-oriented, but almost never x509 authentication-oriented. In other words: whatever you're writing is MUCH more likely to be running in a kerberos infrastructure already, so you might as well plug into that somehow. You'll also benefit more from administrator familiarity with Kerberos-as-authentication than 509-as-authentication. The con on this is that confidentiality outside of the ticket is kind of a joke. NFSv4 has some weak DES (and no I didn't mean 3DES even) encryption that it (somehow) relates to the kerberos ticket but it does authentication and that's basically all it does.

I'd like to see some of x509's flexibility combined with kerberos-style infrastructure (recognition of services and the "one time pad" aspect of having a soon-to-expire ticket) incorporated into a solution that was more widely implemented than x509 is now, but at this stage it's mostly day-dreaming.

Summary:

x509 is good if infrastructure requirements won't be a problem and you'll be using PKI for other stuff anyways, but might be duplicating effort needlessly otherwise or if the deployment is probably going to have a kerberos infrastructure anyways.

Kerberos is a similar but better authentication scheme that is more widely used/understood but won't help you with PKI at all, you get authentication, and that is it.

Regarding credentials life-time, Kerberos tickets are more akin to proxy certificates (RFC 3820), which are short-lived (and can be purpose-specific, depending on the attributes). A big difference between X.509/PKI and Kerberos is that Kerberos requires the client to be able to contact the KDC, whereas the PKI doesn't need to be online at all times (provided CRLs are reloaded often enough). Kerberos also uses symmetric crypto, with proven mathematical properties (but also requires the KDC to know the user's secret), whereas X.509 uses asymmetric crypto, still based on conjectures AFAIK. — Bruno, Nov 30 '11 at 10:49

score 5 · Answer 2 · edited Oct 07 '21 at 05:54

Comparing Kerberos and SSL/TLS doesn't make sense.

Kerberos is an authentication protocol.
TLS is a protocol for securing the communication between two parties, which relies on mechanisms for authentication and encryption. How they work depend on the chosen cipher suite. Although most usages of TLS (e.g. HTTPS) use X.509 certificates, in which case you're likely to use a PKI for the authentication of the remote party, Kerberos cipher suites can also be used. Few TLS stacks support these Kerberos cipher suites as far as I'm aware (Java does).

It doesn't have to be one or the other. For example, even if you're using SPNEGO (Kerberos) HTTP authentication, it often makes sense to secure the transport using TLS (often with an X.509 certificate on the server side, verified via a PKI). If not, the SPNEGO tokens exchanged in the HTTP headers guarantee the authentication, but the rest of the HTTP messages could have been modified by an attacker.

score 2 · Answer 3 · answered Feb 02 '11 at 18:15

2

This could be useful:

http://www.faqs.org/faqs/kerberos-faq/general/section-31.html

answered Feb 02 '11 at 18:15

thkala

84,049
23
157
201

score 2 · Answer 4 · answered Feb 02 '11 at 18:16

2

Consider that any solution involving Kerberos will be more complicated than SSL because it requires an additional, third component, the Authentication Server, which must be managed and administered (e.g. MS Active Directory) whereas SSL is simply a client/server protocol.

answered Feb 02 '11 at 18:16

maerics

151,642
46
269
291

Thanks - do you know if there are any notable performance differentials between either protocols? – Pam Feb 02 '11 at 18:18
2

Actually SSL requires a third party too - the Certification Authority. Which you actually have to pay for... unless you set-up your own CA in your domain, or you distribute certificates by hand (painful for anything over 10 clients). – thkala Feb 02 '11 at 18:19
1

But as you mentioned, SSL doesn't *require* the CA - you can use self-signed certificates or distribute your own as you mentioned. With Kerberos you *must* have an AS. Moreover, the Kerberos protocol requires communication with the AS for each auth request, whereas in SSL the CA is never contacted directly. – maerics Feb 02 '11 at 18:39
Clients cache tickets, so reducing the amount they need to contact the Kerberos Domain Controller. If a tickets lasts 2 hours, then the client won't have to go re-fetch for 2 hours but will keep using its cached ticket. – Richard Corfield Aug 04 '11 at 15:11

Michael-O · Answer 5 · 2012-06-28T08:03:34.963

1

You are mixing stuff. Kerberos is an authentication protocol, SSL ist encryption. Kerberos is the way to go if you are in a corporate environment.

Edit: Kerberos can also encrypt your data traffic transparently. No need for SSL certiticates.

edited Jun 28 '12 at 08:03

answered Jun 29 '11 at 16:28

Michael-O

18,123
6
55
121

Kerberos isn't going to "encrypt data traffic transparently" without being combined to another protocol. What do you have in mind here? – Bruno Jun 28 '12 at 11:18
1

Of course it will. Our Tomcat <> AD traffic is fully encrypted. You have to setup your context with encryption and wrap/unwrap your messages. If you use `SASL` you can set [quality of protection](http://docs.oracle.com/javase/1.5.0/docs/api/javax/security/sasl/Sasl.html#QOP) and everything will happen transparently. – Michael-O Jun 28 '12 at 12:38
1

Kerberos encrypt its own traffic, regarding the exchange of the tickets (so the authentication is encrypted, of course), but that says nothing about the application traffic (e.g. HTTP). That's precisely why it doesn't make sense to compare Kerberos and SSL. Saying "*Kerberos is an authentication protocol, SSL ist encryption.*" doesn't quite make sense either: both can be encrypted, Kerberos is an authentication protocol and SSL/TLS is a protocol to protect the transport of data between two parties. – Bruno Jun 28 '12 at 13:07
1

I was not talking about auth encyrption but about message encryption. Neither was I talking about HTTP specifically. Keberos **can** encrypt traffic. HTTP is just flawed and not designed for that. SASL capable protocols will work like LDAP, IMAP, SMTP and so forth. Just because you don't know it, it does not mean that it does not work. – Michael-O Jun 28 '12 at 13:12
1

That's my point, you need a couple of extra layers here: SASL and GSS-API. It's not Kerberos vs SSL/TLS, it's Kerberos + SSL/TLS or Kerberos + SASL/GSS-API (or SASL with TLS). – Bruno Jun 28 '12 at 13:36
1

Actually not, SASL is just an abstraction layer. You can do easy wrapping by yourself. This comes for free with Kerberos. As a side node, there is no Kerberos + GSS-API, there is only GSS-API. Kerberos does not have a distinct API. – Michael-O Jun 28 '12 at 13:43
1

Kerberos is a protocol, not an API. There are Kerberos libraries that don't necessarily implement GSS. That's why it doesn't make any sense to compare them one against the other. – Bruno Jun 28 '12 at 14:02
1

Which are these libs? I have never seen anything but GSS-API or SSPI. – Michael-O Jun 28 '12 at 14:28
1

MIT [libkrb5](http://web.mit.edu/kerberos/krb5-current/doc/krb_appldev/refs/api/index.html), for example. It can be used with GSS-API, but it comes with its own API. Anyway GSS-API is also a wrapper API, which can be used with other protocols and APIs. – Bruno Jun 28 '12 at 14:34

Authentication: Kerberos or SSL?

5 Answers5

Linked