Difference between SSL and Kerberos authentication?
I am trying to understand what's the actual difference between SSL and Kerberos authentications, and why sometimes I have both SSL traffic and Kerberos. Or does Kerberos use SSL in any way?
Anyone could help? Thank you!
Answer
SSL uses public key cryptography:
- You (or your browser) has a public/private keypair
- The server has a public/private key as well
- You generate a symmetric session key
- You encrypt with the server's public key and send this encrypted session key to the server.
- The server decrypts the encrypted session key with its private key.
- You and the server begin communicating using the symmetric session key (basically because symmetric keys are faster).
Kerberos does not use public key cryptography. It uses a trusted 3rd party. Here's a sketch:
- You both (server and client) prove your identity to a trusted 3rd party (via a secret).
- When you want to use the server, you check and see that the server is trustworthy. Meanwhile, the server checks to see that you are trustworthy. Now, mutually assured of each others' identity. You can communicate with the server. 2