Kerberos

  • Kerberos uses symmetric encryption and provides mutual authentication of both clients and servers.

  • build by MIT

  • Kerberos has the following components:

  • Principal: Client (user) or service

  • Realm: A logical Kerberos network

  • Ticket: Data that authenticates a principal’s identity Access Control technologies

  • Credentials: a ticket and a service key

  • KDC: Key Distribution Center, which authenticates principals

  • TGS: Ticket Granting Service

  • TGT: Ticket Granting Ticket

  • C/S: Client/Server

Kerberos Operational Steps

  • Alice, wishes to access a printer

    • Kerberos Principal Alice contacts the KDC (Key Distribution Center, which acts as an [[Identity and Authentication ,Authorization, ,Accountability and Auditing(AAAA) and Non-repudiation|authentication]] server), requesting [[Identity and Authentication ,Authorization, ,Accountability and Auditing(AAAA) and Non-repudiation|authentication]]

    • The KDC sends Alice a session key, encrypted with Alice’s secret key.

      • The KDC also sends a TGT (Ticket Granting Ticket), encrypted with the TGS’s secret key

    • Alice decrypts the session key and uses it to request permission to print from the TGS (Ticket Granting Service)

      • Alice cannot decrypt the TGT

        • only the TGS can

    • Seeing Alice has a valid session key (and therefore has proven her identity claim), the TGS sends Alice a C/S session key (second session key) to use to print.

      • The TGS also sends a service ticket, encrypted with the printer’s key

    • Alice connects to the printer.

      • The printer, seeing a valid C/S session key, knows Alice has permission to print, and also knows that Alice is authentic

Kerberos Weaknesses

  • primary weakness of Kerberos is that the KDC stores the keys of all principals

Last updated