Authentication: Kerberos and SideCar

About Kerberos and SideCar

What is Kerberos?

Kerberos is a security system. It protects access to personal, confidential information on computer networks.

When you request access to Kerberos-protected information, Kerberos verifies that you entered the correct password for your NetID. This is called authentication. After authentication, Kerberos issues you an electronic ticket that gives you admission to restricted information.

Why do services use Kerberos?

Kerberos provides extra security for Cornell's online services that contain personal or confidential data such as grades or salaries. Services that use Kerberos include Just the Facts, Student Jobs/Internships, Cornell's Online Time Card System (COLTS), Faculty Services, and Change Password. See the list of services that use Kerberos.

What is SideCar?

SideCar is a program written at Cornell. It extended Kerberos protection to online services that didn't have Kerberos built in, such as web browsers.

SideCar Update: In December 2008, Cornell will phase out SideCar. This change is being made in conjunction with a migration to Kerberos version 5. The change will not affect the security of Cornell's online services. You won't need to change your computer or your usual practices. Services that use SideCar are making the necessary changes. For more information, see the SideCar FAQ.

Where can I get Kerberos?

• If the computer you are using has Bear Access, then it also has Kerberos. (It's part of Bear Access.)
• If your computer doesn't have Bear Access, download Kerberos. Is is a small program and can be e-mailed or downloaded onto a disk.

How does Kerberos work?

Kerberos works in three steps. When you need to access Cornell online services that use Kerberos:

1. Kerberos authenticates your identity.
2. Kerberos issues you an electronic ticket.
3. Kerberos passes the electronic ticket to online services so you can have access.

When you attempt to use an online service that uses Kerberos, the service asks your computer for a ticket to prove that you're authorized to use the service. The Kerberos program on your computer opens a Kerberos window. You type your NetID and password in the window.

1. Authenticate: The Kerberos program on your computer sends a message to the campus Kerberos server. The message contains encrypted (scrambled) information that can only be decoded if you've entered the correct NetID and password combination.

Note: Kerberos does not send your password across the network.

2. Issue a Ticket: If you've entered the correct NetID and password, the Kerberos server sends an electronic ticket back to your computer.
3. Use a Ticket: The Kerberos program keeps the ticket on your computer and gives it to services that require it. (The ticket contains securely encoded information including your NetID, your password, the network (IP) address of the computer you're using, and the time the ticket was issued.)

More about tickets: how to get them and cancel them.

Where did the name Kerberos come from? In Greek mythology, Kerberos was the three-headed dog who guarded the Gates of Hades. Cerberus is the more familiar Roman form of the same name. You may also have seen it spelled Kerberus or Cerebus.