Chapter 5. Secure authentication with Kerberos
This chapter covers
- Alternatives to password-based authentication
- Kerberos and Java GSS API
- WS-Security with Kerberos
In the previous chapter, we showed you how to claim your identity using passwords. We discussed two schemes: one that requires you to submit your password in clear text and another that helps you guard your password from snoopers—people who intend to steal it while it is on the wire. Both schemes required you to first register a username and password with your service providers. Like most users, you probably reuse the same username and password when registering with several services. This makes you susceptible to repurposing attacks. Administrators of a service you are registered with can steal your username and password and spoof your identity on other services. Is there a way out of this mess without burdening yourself with the inhuman task of creating and remembering unique username and password combinations for each service? Kerberos is the security technology that first provided an answer to this question.
In fact, Kerberos answers several other significant questions related to SOA security. How do we ensure the confidentiality of messages while they are in transit? Can we detect tampering of messages by a man in the middle? Kerberos answers these questions as well.