Kerberos
Contents
Full Title or Meme
Released in 1999 by MIT as a campus-wide Single Sign-On solution based on the creation of user tickets.
Context
Kerberos is a network authentication protocol designed to allow secure identity verification between entities over an insecure network, like the internet, without transmitting passwords.
Kerberos uses symmetric key cryptography and a trusted third party, the Key Distribution Center (KDC), to authenticate users and services.
Actors
Client – The user or device requesting access.
Server – The resource or service the client wants to access.
Key Distribution Center (KDC) – Composed of:
Authentication Server (AS) – Verifies user credentials.
Ticket Granting Server (TGS) – Issues access tickets.
Step-by-Step Flow
Login & AS Request The client logs in and requests an authentication ticket from the AS. This message includes the user ID but not a password.
AS Response → TGT Issued The AS checks the user's credentials (typically using a shared secret derived from the password) and, if valid, sends back:
A Ticket Granting Ticket (TGT), encrypted with the TGS’s key.
A session key, encrypted with the user’s key (so only the user can decrypt it).
Requesting Access via TGS To access a specific service, the client uses the TGT and requests a service ticket from the TGS.
TGS Response → Service Ticket Issued If the TGT is valid, the TGS sends back:
A service ticket, encrypted with the service server's key.
A session key for secure communication with the service.
Accessing the Service The client presents the service ticket to the target server. The server decrypts it, verifies authenticity, and grants access.
Why It's Effective
No cleartext passwords on the wire.
Tickets limit lifetime, reducing exposure if intercepted.
Mutual authentication—both the client and the server confirm each other's identity.
