Passport and Cross-Domain Kerberos

Passport will use Kerberos to offer single sign-on capabilities to all members of the Passport federation. Kerberos, an authentication protocol originally created at the Massachusetts Institute of Technology, allows users to identify themselves to a network without sending any passwords over the wire and ensures that neither services nor users can be spoofed by someone intercepting the packets. It accomplishes this by exchanging encrypted, time-stamped “tickets” in a two-step process. A user logs on to a Kerberos authentication server and receives an encrypted “ticket-granting ticket” (TGT). The user must present this TGT to a Kerberos “ticket-granting server” (TGS) within a certain time period to get tickets for specific servers on the network (e.g., file servers, print servers).

Users can use a TGT granted by their home organization to get a TGT for a remote organization, as long as the two organizations have a “trust relationship.” Two organizations can establish a direct, peer-to-peer trust relationship by creating shared keys for their TGSs to encrypt and decrypt one another’s tickets. (For links to more detailed explanations of Kerberos, see the “Resources” section in the “Passport Changing from Closed System to Trust Broker” article.)