Kerberos - Commercial or Open Source?

Network security is something the average Joe or Sally might take for granted. Assuming that just because you have logged on to the system with a password that all should be well and dandy. Network security might be transparent and not usually something that a normal user would want to concern themselves with as they assume that to be the responsibility of the network administrator. With this in mind then why are these things that seem so transparent and unimportant to the user play such an important part in authentication systems. Also what role do these play in terms of network security? When choosing authentication systems how do you go about in selecting one out the many that are available on the market and with that said how do you decide between commercial or open licence authentication systems?

The fact that products based on open source environments have won acceptance within enterprise IT shops is evident by the growing number of deployments and the movement of Kerberos to a top tier authentication system among major independent authentication software system makers and implementers. According to FCW (FCW, 2005a) once a curiosity of computer rooms, open-source software applications are now giving commercial programs a run for their money in public-sector information technology shops. In fact, public-sector IT managers say free licensing isn't necessarily the most attractive characteristic of the best open-source products today. Many stand out for their stable programming code and array of useful features or, conversely, their stripped-down feature sets that eliminate unnecessary bells and whistles.

An authentication system is a process by which someone is securely identified as the person who they claim they are. There are various methods of authenticating ones identity but these methods mainly fall in three categories:

· Something you know - This is a one-way authentication method used in various systems and is in the form of passwords, which may be date of births, maiden names and so forth.
· Something you have – This is a token-based authentication system method, which involves carrying a physical token that can be seen as hard to forge. This can be driving licence or key.
· Something you are – These are biometric authentication methods that use physiological characteristics such as fingerprints, tone of voice or facial image.

Each authentication system on the market has its strengths and weaknesses as most if not all are susceptible to at least one of more possible attacks because tokens can be stolen, passwords may be predicted or they just may be hacked. There is a saying that “if humans can create a system then it can also be defeated or broken by humans”. This is where multifactor authentication methods come in, as they are referred to as strong authentication. Authentication systems can be of single or multi-factor. An authentication factor is a piece of information used to authenticate or verify a person's identity for security purposes (Wikipedia, n.d d).

When putting an authentication system in place allowing for a multi-factor authentication process can greatly aid in reducing any vulnerabilities in the process of authorising the intended users of the system which would also in turn create difficulties for unwanted parties to access the system. In doing so the design also has to take into account that although asking for many authenticators before accessing the system will insure a more secure system it might also alienate the users with too much information they may have to possess or remember in order to gain access to the system. For this reason most systems tend to lean on the 2-3-factor system. This is partly due to the fact that authentication systems go hand-in-hand with usability and design as they are all part of the architecture design of the system.

We have entered a digital world in full swing now, so can this shift into this digital age be the reason why there is so much fraud happening around us? People are now sending emails to trick people into giving up their passwords through masquerading as legitimate institutions and through various use of computer programs people are able to bypass security systems to gain access to areas where they are not normally allowed. In there lies the reason why we need authentication systems, as we can now appreciate from the above that occasionally people misrepresent their identities which in effect is a means of subverting the authentication systems.

Before deploying an authentication system there are a lot of factors that are considered such as whether it is economically feasible, easy to administer as well as maintenance issues. According to the authors of Biometrics and Strong Authentication (Ware, Karl, 2002, p.33-60) the important features of an authentication system as enrolment, maintenance, revocation and the handling of potential problems. A review of a system’s vulnerabilities can also influence the design and implementation of a particular authentication system. Authentication systems provide differing levels of functionality but at a minimum should allow verification of all users enrolling on to the system.

So what is Kerberos? If you haven’t already gathered - Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology (MIT, 2007). It is also provided in various commercial products.

How Kerberos Works

Kerberos is a complicated system that can offer protection against many network attacks and vulnerabilities and also provides a plethora of mechanisms for doing so. It provides ways of mutual authentication between two parties such as a client and a server way before the communication connection is established or opened between the two parties. The protocol assumes the path of communication or network is not secure and that it may be susceptible to eavesdropping – an attack mainly referred to as “man in the middle”.

A man in the middle attack generally occurs when the hacker acts as the “man in the middle” between two computers. The hacker attempts to pretend to each computer that it is in fact, the computer they have connected to. In reality, all the data is being routed to the hacker, who can then modify or add instructions to the data. (Learning Networking, n.d)

In today’s world where not everyone is so innocent, this software plays a great role in this environment as it solves issues by authenticating users of a network whereby the user’s password never needs to go over the network. It uses electronic tickets that are encrypted over the network. The user is then authenticated by a central server called a KDC (Key Distribution Center) which also issues a ticket that allows the user to access the network and the services available. Below is a tutorial courtesy of Learn Networking (Learning Networking, n.d) showing how Kerberos works:

1. - The authentication service, or AS, receives the request by the client and verifies that the client is indeed the computer it claims to be. This is usually just a simple database lookup of the user’s ID.

2. - Upon verification, a timestamp is created. This puts the current time in a user session, along with an expiration date. The default expiration date of a timestamp is 8 hours. The encryption key is then created. The timestamp ensures that when 8 hours is up, the encryption key is useless. (This is used to make sure a hacker doesn’t intercept the data, and try to crack the key. Almost all keys are able to be cracked, but it will take a lot longer than 8 hours to do so)

3. - The key is sent back to the client in the form of a ticket-granting ticket, or TGT. This is a simple ticket that is issued by the authentication service. It is used for authenticating the client for future reference.

4. - The client submits the ticket-granting ticket to the ticket-granting server, or TGS, to get authenticated.

5. - The TGS creates an encrypted key with a timestamp, and grants the client a service ticket.

6. - The client decrypts the ticket, tells the TGS it has done so, and then sends its own encrypted key to the service.

7. - The service decrypts the key, and makes sure the timestamp is still valid. If it is, the service contacts the key distribution center to receive a session that is returned to the client.

8. - The client decrypts the ticket. If the keys are still valid, communication is initiated between client and server.

Is all that back-and-forth communication really necessary? When concerning speed and reliability, it is entirely necessary. After the communication is made between the client and server, no further need of transmitting logon information is needed. The client is authenticated until the session expires.

Kerberos uses symmetric-key algorithm and some versions also use a public key cryptography. Wikipedia describes symmetric-key algorithm as a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption key, in that they may be identical or there is a simple transform to go between the two keys. The keys in practice represent a shared secret between two or more parties that can be used to maintain a private information link (Wikipedia, n.d b). In Kerberos, the keys are only known to the user and the KDC. The user can be a client, host or service. Through the use of symmetrical encryption it means that when a message is sent between the two communicating parties the message can only be decrypted by the key used to encrypt the message this is because the keys are only visible or known to the two parties which allows for secure transit of information across the communicating path. The details of the user, services, or hosts and their keys are saved on a Kerberos database. Considering that Kerberos is properly implemented it can help combat network problems such as password sniffing, password filename/database stealing, eavesdropping and replay attacks. Kerberos also has a mechanism for providing detection and prevents unauthorised reading through the use of DES (Data Encryption Standards), 3DES (Triple DES) and AES (Advanced Encryption Standards).

DES: is a cipher used to encrypt data but as it was considered to be insecure for many systems so it has since seen further improvements as such AES, its successor which uses block ciphers to encrypt information. DES has a key size of 56 bits. A key is a value in cryptography that is used in the encryption algorithm to a string or a block or text in order to obtain an encrypted or decrypted version of that text. The length of the key is a factor in considering how difficult it will be to decrypt the text in a given message. Cryptography deals with information confidentiality, data integrity, non- repudiation and authentication.

Triple DES: This is an extension to DES in order to find a more secure and robust ciphering method. Triple DES uses the original DES algorithm literally three times to encrypt data. Although not in common use due to the development of AES, Triple DES can stand its own ground still. Compared to DES, TDES uses 3-keys meaning that it uses three 56-bit DES keys as illustrated below. Due to certain attacks such as man in the middle it reduces the effectiveness of the TDES as it reduces the key bits to 112 and also greatly infringes on the security provided by this method. A variant, called two-key TDES (2-key TDES), uses k1 = k3, thus reducing the key size to 112 bits and the storage length to 128 bits. However, this mode is susceptible to certain chosen-plaintext or known-plaintext attacks and thus it is officially designated to have only 80-bits of security. When it was found that a 56-bit key of DES is not enough to guard against brute force attacks, TDES was chosen as a simple way to enlarge the key space without a need to switch to a new algorithm (Wikipedia, n.d c).

Photo caption

AES: Compared to the above two AES has support for the use of more key bits to the size of 128 bits. Where previous algorithms were created for use internally within the USA, when AES was developed it was intended for worldwide use as a royalty free cipher method. It was requested offer security of a sufficient level to protect data for the next 20 to 30 years. With the larger key size capability it means that AES can offer a lot more security and the enhanced mechanism also included in AES also allow for faster data encryption than both DES and Triple DES.

According to search security (Search Security, 2007) the implementations the of above were tested extensively in ANSI C and Java languages for speed and reliability in such measures as encryption and decryption speeds, key and algorithm set-up time and resistance to various attacks, both in hardware- and software-centric systems.

Not such a perfect world

We do not live in a perfect word so even something that is claimed to be a truly strong system can often have some drawbacks. Hence the previous phase of “if humans can create a system then humans can also defeat it ”. There are web sites solely dedicated to hacking systems and exploiting their vulnerabilities. Once this information is shared on the public domain it weakness the system that a company might have in place, as unwanted parties may use these weaknesses to gain access to their system. Web sites like Hack-a-day have pages dedicated to showing how authentication systems can be weakened or exploited in order to gain access to them. The tutorial on authentication system weakness also included a talk by Zac Frenken a technology executive in London on how authentication systems can be exploited not through the software but the physical hardware like the Wiegand-protocol access card reader (O’Brien, Will, 2007) he demoed an excellent exploit tools saying that rather than focusing on the access mechanism, he exploited the lack of reader installation security. A plastic cover and a pair of screws secure most card readers. Inside, the reader wires are vulnerable. He put together the equivalent of a keyboard sniffer for the reader wiring. With this little device in place, he was able to collect access codes and use them to exploit the reader authentication system.

Back in 2004, according to Tech World The Massachussetts Institute of Technology (MIT) was warned of security vulnerabilities in its implementation of Kerberos that could allow attackers free access to protected systems. Users of MIT Kerberos 5 were urged to apply patches immediately (Broersma, Matthew, 2007). The bugs that were discovered were found to able to allow unauthenticated users to compromise a system which could also allow the execution of malicious code. These bugs are were found by a security firm but can also be found be dedicated hackers like those belonging to the above forums as well as other hacker conversions like those organised by DEFCON, a widely known organisation and thought to be the largest underground hacking convention in the world.

According to Security Solutions there are hacker conventions held yearly which also have a have great turn out. The author estimates that DEF CON attendees are usually made up of one-third hackers, one-third government officials and one-third corporate officials. The two latter groups attend in part to study up on new methods criminal hackers are using and to remain steps ahead of the “bad guys.”(Roe Ashley, 2007). Also when these exploits are in public view it forces the software vendors to update their software taking into account these flaws discovered. Although some may argue that is part of a business strategy so that they can constantly update their software with flaws that they already knew existed. Discussing whether companies do that or whether Kerberos does that is beyond the scope of this discussion.

Kerberos The Drawbacks

Kerberos, although a strong system it may still be a work in progress, as they would hate to make the same mistake as in the Titanic and claim it to be “unsinkable” or in this case unbreakable. Like any other product on the market that is similar or working to achieve the same object they all still constantly need to update their software in light of the current and future threats on the software and those that use it. Kerberos limitations or drawbacks are listed below:

The KDC has a single point of failure in that if it is down then no one on the network can log on unless there are multiple servers (Wikipedia, n.d a).
If an attacker gains access to the KDC they would have all the hosts’ keys, configuration software as well as the likelihood of bringing the whole network down as the KDC also store keys for other network software that may be used.
Kerberos authentication relies on the use of a timestamps in order to safe guard against reuse, this is so that hosts can be synchronised. If synchronisation fails then authentication does not occur. This is sometimes remedied by the use of NTP daemons that help in keeping the hosts synchronised or ensuring that the clock times are no more than 10 minutes apart.
May still be susceptible to replay attacks according to AT&T Laboratories (Bellovin, Steven M and Merritt, Michael, 2007). This is done through the interception of Kerberos tickets and using that ticket to subvert the system into gaining authentication or using the ticket for a brute force attack on other intercepted tickets.

Everyone Wants A Piece Of The Action

The collaboration between MIT and IBM resulted in Kerberos, which is a highly successful protocol and the popular use in various software applications has seen this being extended to being built into hardware. Kerberos is used in devices such as gaming consoles like Xbox, Windows (2000, XP, Server 2003 and Vista), Cisco Routers and Switches, Apache 2, Oracle RDBMS. Samba also a networking protocol also use some of the authentication tools provided in Kerberos. Its ease of implementation and practicality makes it popular amongst these companies and many others. The fact it is freely available allows other vendors to utilise many functionalities of Kerberos as well as build on the protocol itself.

Kerberos - Open Source

There are many versions of the open source Kerberos just like the commercial licence and some provide more enhancements than others but all work to serve the same purpose – that of authentication. Cygnus Solutions and Royal Institute of Technology also provide open source versions on Kerberos. This all came about when Kerberos was considered a munition and was banned for export from America (Wikipedia, n.d a), because they used the DES encryption algorithm before the USA relaxed their regulations of cryptography export regulations. Open Source versions of Kerberos can be obtained directly from MIT but currently does not officially provide support for the released versions. Support is available from many communities on the Internet together with discussion forums on new developments and other information that may be useful when deploying Kerberos.

All the relevant files needed together with an FAQ, and installation guide are available on their website together with fundamentals that should be read before putting the software on machines to save time asking unnecessary questions about consequent actions taken in deploying it fully. The cost of support can vary with open source as it can be either out sourced or it can be internal. Just because its internal does not mean it will come cheap as stuff may have to be sent on training courses to learn about the software. These course may also range from £200 to £3000 depending on whether the course are taken up individually or as a group in internal training.

Kerberos – Commercial Licence

Among the commercial licences offered by software vendors supplying Kerberos is CyberSafe Corporation and was first to provide the first commercial Kerberos version 4 and 5 product in 1992 and 1993 respectively (Oak Ridge National Laboratory, n.d). The company has been responsible for integrating Kerberos with Oracle Universal Server. The Kerberos licence offered by CyberSafe is named TrustBroker. It can be hosted on UNIX platforms and also on Microsoft Windows NT/2000 Servers. It has been written to support Kerberos based authentication as well as Public Key (utilising X.509 v3 certificates on smart cards) and also supports the complementary use of token cards to give stronger two-factor authentication for specific users (CyberSafe, 2006a). With a lot of experience in providing network security solutions so CyberSafe is no stranger to the ins and outs of how Kerberos works and what its capable of. The product offered enables network users to securely access the network with just one password and with this they have access to various resources on the network that may be available to them. Below are the features offered by the TrustBroker licence together with the prices (Oak Ridge National Laboratory, n.d):

Secures network applications, such as rlogin, rsh, rcp, and telnet password checking incremental propagation
Integration with token security cards
Interoperability with DCE Security and Kerberos Versions 5 and 4.
GUI administration

Licence Costs Per Seat Basis:

KDC - £ 4,500 to £11,000
Clients - £30 - £55 each
Application servers £100
GSSAPI toolkit £1,500
MVS toolkit £10,000
Virtual private network £25 - £50,000
Support cost packages are tailored to level required and system obtained.

CyberSafe offers interoperable products and supports heterogeneous environments. It is also supported on many platforms including Windows, Unix, Solaris and HP-UX to name a few. The graphic illustration below (CyberSafe, 2006b) shows how CyberSafe software works with Microsoft products and in doing so workstations running Windows software can log on to the CyberSafe KDC. After authentication is complete the user can then gain access to Microsoft or Unix Server stations. Users can also log on to Microsoft Active Directory KDC to obtain service tickets through the CyberSafe KDC that is on a secure Unix server. The Microsoft Active Directory KDC is also used with CyberSafe Secure Client to authenticate users. CyberSafe has created mechanisms that allow a user’s profile changes to by synchronised between the two KDCs.

CyberSafe offers various levels of product support, which also includes online support and hands on support for CyberSafe products as well as third party products. Problems logged with CyberSafe can also be tracked through their web support.

Kerberos Open Source or Commercial Licence? That is the question.

There are various advantages of choosing open source over commercial licence and vice-versa. These may also differ if we were comparing two different products. In this case we are comparing the same product offered in two different licences but when considering which one to choose there are various comparison properties to look at such as those listed below.

Disadvantages of commercial licences compared to open source

Costs – There is usually large costs involved in obtaining a commercial licence and depending on how the cost is set up whether as a whole or per client basis then these may add up.
Safety – Commercial licences do not disclose the source code so if there were any changes to be made you would have to wait for an update release from the software vendor.
Stability and performance - Open source systems can be optimised because the source is available to allow for that to happen should that be required when deploying.
Support – Commercial licence support may incur cost for each support visit or requests.

Advantages of commercial licences compared to open source

Safety for the future – Development of future updates may not be guaranteed on open source products which may leave this a responsibility of the company taking on the open source code, which may mean that a company would have to have the skilled professional who can take on that task should the need arise.
Development know-how – As with the above point know-how from internal stuff would have to have the skill to make the necessary modifications to bring the software to the specification required by the company.
Stability + performance – Open source software is not always extensively tested as testing is usually done by communities online who then contribute there findings and improvements which may affect stability if you take on open source licence without knowing the full capabilities or vulnerability and how they would integrate with the current system in place.
Guarantee - For open source products there is no guarantee of interoperability with other platforms that may be in use.
Support - With the support reaction times can be agreed, which imply delicate contractual penalties in case of non-observance - therefore an extensive support is guaranteed from most vendors.

With Kerberos being more mainstream as the popularity and wide use has proven. Vendors and end user realise that open source software is not immune from the many deployment pitfalls (FCW, 2005b) that plague commercial software which includes the problems faced when integrating opens software into an already running system in place as well as the support and maintenance that may be needed. The other pitfall is that people make the mistake of thinking that just because the software is open-source and there will not be any licence cost then this will be a better option because its free. In reality you still have to look at the bigger pictures of the costs involved in putting it in place as you may need a professional who knows how to deploy the software as well as make the necessary modifications as mentioned in the about advantages and disadvantages. Other cost may also including maintenance cost and if the stuff are not fully knowledgeable then it might cost the company more in future in terms of money and time to correct this mistake of putting a working system back in place that the networking team can operate. Another mistake is that just because members of stuff have access to the open source code then they can handles all supporting issues.

So after all this then which licence do we go for? Well depending on the experience we may have in terms of administration stuff and of course the budget, these are the main things that play a great role in choosing between a commercial licence and open source of Kerberos. If you were a software vendor then going for an open source licence would be ideal as you have the extensive programming background and are able to fulfil the costs in further developments and additional functionality to Kerberos but where you are a small to medium company from all the issues covered above then it would be suited to go for a commercial licence as the cost can also be scaled down to what is required and needed and then integrated with a current system. Also because commercial licence would relieve you of needing to get into the source code, which if incorrectly modified may bring the whole of your network to a halt and cost more to call outside help to rectify the problem. The decision is fairly open so as long as either option fulfils the system requirements for your authentication system then it pays to weigh up the options of both licences including the costs of obtaining the licence and if there isn’t any then also looking at deployment cost and future cost in updates.

The Future – Far and Beyond

After reviewing the way Kerberos works and its popular integration into the IT market and various well-known products its now clear that choosing such a product cannot be easy. There are various things to weigh up that might affect how a network functions and any background knowledge that may be needed to aid in a fully functional system with little downtime. Due to the topic being discussed this is not a product that can be easily tested and reviewed as it’s a built into functions across many products that most of us use today like gaming consoles such as the Xbox when playing with other user across the network that may span the Atlantic as well as through the use of Windows as it uses Kerberos as a default authentication protocol that is built in. When we are using many Internet accounts we may not even realise it but in most cases we may be using the Kerberos authentication protocol such as when we as signing in online using the single sign service such as Microsoft Passport. Another hardware device that we may be using Kerberos are Cisco Routers and Switches as we blindingly log on to computer networks that use these we may also be using the authentication methods discussed here as these companies use the open source licence as previously said not only for the benefits it offers but because they can put in the research to make it work for them and for the products they put on the market. This goes on to show that the people who use this protocol ranges from the single users at home to the very powerful companies out there.

According to the author of No-Comprise Route to Open Source (Bottomley, Dr James, 2006, p26-27), the risks in an open source software deployment are similar in nature to those of closed source stack. The only additional risks are either inherent in the commodity nature of the hardware for the open environment such as application profusion and lack of integration testing. Hopefully it can be seen that making such a decision as choosing between open source and commercial licence cannot just depend on whether the software is free as there are other factors involved other than choosing it on that basis alone may cost more in the long run as mentioned above.

At the start of this discussion we asked why these things that seem so transparent and unimportant to the user but play such an important part in authentication systems. Also what role they played in terms of network security? It has been shown that authentication is such an important element to network security and it adds to piece of mind in that we are protected on our networks by making sure that only those authorised to use the system are authenticated. This is why authorisation is also entwined with authentication. Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secure resources controlled by the system. Authentication and authorization (Duke University, n.d) are somewhat tightly coupled mechanisms. Authorization systems depend on secure authentication systems to ensure that users are who they claim to be and thus prevent unauthorized users from gaining access to secured resources.

From the level of detail given about Kerberos its should also be highlighted that when choosing an authentication system or any other system for that matter its interoperability with what’s already in place is important as this with also determines on whether you implement that system. This is one of the reasons why getting a commercial licence may be better as these also offer enhancements and improvements on the systems. For instance in our discussion of the Kerberos protocol, it uses strong cryptography methods so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business. If you were to go for a commercial licence such as the Microsoft software you would also benefit from their advancements because rather than Kerberos' usual password-hash-based secret key, Microsoft (Lab Mice, 2003) chose to add its own extensions, which makes its implementation of Kerberos slightly non-standard, but still allows for authentication with other networks that use Kerberos. Software producers or vendors are not called professionals for nothing so when choosing between a system that allows you to modify it and one that does not as discussed, you should take this on board because unless you know what you are doing its best to get the professionals in.

Reference list

Bellovin, Steven M and Merritt, Michael. (2007). Limitations Of The Kerberos Authentication System. Retrieved November 11th, 2007, from http://66.102.9.104/search?q=cache:C17xgq2CD1sJ:ftp://ftp.pdc.kth.se/pub/krb/doc/kerblimit.usenix.ps+HOW+TO+designing+an+authentication+system&hl=en&ct=clnk&cd=18&gl=uk
Bottomley, Dr James. (2006, January). No Comprimise Route To Open Source.The IEE
Broersma, Matthew. (2007). Kerberos Suffers Critical Hole. Retrieved November 11th, 2007, from http://www.techworld.com/security/news/index.cfm?newsid=2159
CyberSafe. (2006).CyberSafe & Microsoft Operating Systems. Retrieved November 11th, 2007, from http://www.cybersafe.ltd.uk/menu_news/news_cybersafe_and_microsoft.htm
CyberSafe. (2006). TrustBroker Security Server. Retrieved November 11th, 2007, from http://www.cybersafe.ltd.uk/menu_prodsolserv/products/products_security_server.htm
Duke University. (n.d). Authentication vs. Authorization. Retrieved November 11th, 2007, from http://www.duke.edu/~rob/kerberos/authvauth.html
FCW. (2005). 5 Common Mistakes In Using Open-Source Software. Retrieved November 11th, 2007, from http://www.fcw.com/print/11_35/news/90647-1.html
FCW (2005). 5 Stars Of Open-Source Products. Retrieved November 11th, 2007, from http://www.fcw.com/print/11_38/news/90919-1.html
Lab Mice. (2003). Kerberos. Retrieved November 11th, 2007, from http://labmice.techtarget.com/security/kerberos.htm
Learn Networking. (n.d a ). How Kerberos Authentication Works. Retrieved November 11th, 2007, from http://www.learn-networking.com/security-basics/how-kerberos-authentication-works.php
Learn Networking. (n.d b). How Kerberos Authentication Works. Retrieved November 11th, 2007, from http://www.learn-networking.com/security-basics/how-kerberos-authentication-works.php
MIT. (2007). Kerberos: The Network Authentication Protocol? Retrieved November 11th, 2007, from http://web.mit.edu/Kerberos/#what_is
Oak Ridge National Laboratory. (n.d). Commercial Implementations Of Kerberos. Retrieved November 11th, 2007, from http://www.ornl.gov/~jar/commerce.htm
O’brien, Will. (2007). Defcon 15: Exploiting Authentication Systems. Retrieved November 11th, 2007, from http://www.hackaday.com/2007/08/04/defcon-15-exploiting-authentication-systems/
Roe Ashley. (2007). Hacker At The Door. Retrieved November 11th, 2007, from http://securitysolutions.com/cards_readers/security_hacker_defcon_convention/
Search Security (2007). Advanced Encryption Standard. Retrieved November 11th, 2007, from http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci344759,00.html
Ware, Karl (UK) Limited. (2002). Biometrics And Strong Authentication. USA: McGraw-Hill Osborne [Electronic Version]. Retrieved November 11th, 2007, from http://site.ebrary.com/lib/portsmouth/Doc?id=10153048&ppg=33
Wikipedia. (n.d a). Kerberos Protocol. Retrieved November 11th, 2007, from http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
Wikipedia. (n.d b). Symmetric-Key Algorithm. Retrieved. November 11th, 2007, from http://en.wikipedia.org/wiki/Symmetric_key_cryptography
Wikipedia.(n.d c). Triple DES. Retrieved November 11th, 2007, from http://en.wikipedia.org/wiki/Triple_DES
Wikipedia. (n.d d). Authentication Factor. Retrieved November 11th, 2007, from http://en.wikipedia.org/wiki/Authentication_factor