Kerberos

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Released in 1999 by MIT as a campus-wide Single Sign-On solution based on the creation of user tickets.

Context

Kerberos is a network authentication protocol designed to allow secure identity verification between entities over an insecure network, like the internet, without transmitting passwords.

Kerberos uses symmetric key cryptography and a trusted third party, the Key Distribution Center (KDC), to authenticate users and services.

Actors

Client – The user or device requesting access.

Server – The resource or service the client wants to access.

Key Distribution Center (KDC) – Composed of:

Authentication Server (AS) – Verifies user credentials.

Ticket Granting Server (TGS) – Issues access tickets.

Step-by-Step Flow

Login & AS Request The client logs in and requests an authentication ticket from the AS. This message includes the user ID but not a password.

AS Response → TGT Issued The AS checks the user's credentials (typically using a shared secret derived from the password) and, if valid, sends back:

A Ticket Granting Ticket (TGT), encrypted with the TGS’s key.

A session key, encrypted with the user’s key (so only the user can decrypt it).

Requesting Access via TGS To access a specific service, the client uses the TGT and requests a service ticket from the TGS.

TGS Response → Service Ticket Issued If the TGT is valid, the TGS sends back:

A service ticket, encrypted with the service server's key.

A session key for secure communication with the service.

Accessing the Service The client presents the service ticket to the target server. The server decrypts it, verifies authenticity, and grants access.

Why It's Effective

No cleartext passwords on the wire.

Tickets limit lifetime, reducing exposure if intercepted.

Mutual authentication—both the client and the server confirm each other's identity.

Problems

The systems work well for students or employees who are already registered members of a community. Other methods are required for non-members, like OIDC

  • Agentic Interoperability is Grounded in Containment, Not Control Paul Knowles 2025-12-13
    For more than six decades, digital security has relied on a sensible ordering: first authenticate identity, then authorize access. From mainframes to enterprise SSO, from OAuth and SAML to PKI and cloud IAM, systems have assumed that controlling who enters must precede controlling what users and agents can do. Sector after sector reinforced that logic: finance built KYC-first pipelines, healthcare wrapped EHR access in clinician verification, governments created national eID systems, telecom tied networks to subscriber identity, and critical infrastructure rooted operational access in authenticated operator accounts.
  • See wiki on AI Containment

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Kerberos&oldid=25365"