Kerberos | Kerberos Terminology | Kerberos Working | Characteristics of Kerberos

Kerberos Protocol

What is Kerberos?

Kerberos: Kerberos is a network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

What do the three heads of Kerberos represent?

Kerberos is a three-step security process used for authorization and authentication. The three-heads of Kerberos are:

1-User,

2-KDC-Key Distribution Service (security server) and

3-Services (servers). 

Kerberos is a standard feature of Windows software.

 

Why Kerberos?

Kerberos is an authentication protocol that is used to verify the identity of a user or host. The authentication is based on tickets used as credentials, allowing communication and proving identity in a secure manner even over a non-secure network.

 

Characteristics of Kerberos

Secure: Kerberos should be strong enough that a potential opponent does not find it to be the weak link.

Reliable: For all services that rely on Kerberos for access control, lack of availability of the Kerberos service means lack of availability of the supported services. Hence, Kerberos should be highly reliable and should employ distributed server architecture, with one system able to back up another.

Transparent: Ideally, the user should not be aware that authentication is taking place, beyond the requirement to enter a password.

Scalable: The system should be capable of supporting large numbers of clients and servers. This suggests a modular, distributed architecture.

 

Kerberos Protocol Terminology

Figure : Block Diagram of Kerberos server

Authentication Server (AS): A server that issues tickets for a desired service which are in turn given to users for access to the service.

Client: An entity on the network that can receive a ticket from Kerberos.

Credentials: A temporary set of electronic credentials that verify the identity of a client for a particular service. It also called a ticket.

Credential cache or ticket file: A file which contains the keys for encrypting communications between a user and various network services.

Crypt hash: A one-way hash used to authenticate users.

Key: Data used when encrypting or decrypting other data.

Key distribution centre (KDC): A service that issue Kerberos tickets and which usually run on the same host as the ticket-granting server (TGS).

Realm: A network that uses Kerberos composed of one or more servers called KDCs and a potentially large number of clients.

Ticket-granting server (TGS): A server that issues tickets for a desired service which are in turn given to users for access to the service. The TGS usually runs on the same host as the KDC.

Ticket-granting ticket (TGT): A special ticket that allows the client to obtain additional tickets without applying for them from the KDC.

 

Working of Kerberos

Step 1: (Fig 1)

The AS, receives the request by the client and verifies that the client.

 

Figure : Authentication Service verifies the User ID

Step 2:

Upon verification, a timestamp is created with current time in a user session with expiration date. The timestamp ensures that when 8 hours is up, the encryption key is useless.

Step 3: (Fig 2)

Figure : Authentication Service issues TGT

The key is sent back to the client in the form of a TGT.

Step 4: (Fig 3)

Figure : Client submits TGT to TGS

The client submits the TGT to the TGS, to get authenticated.

Step 5: (Fig. 4)

Figure : TGS grants client the service ticket

The TGS creates an encrypted key with a timestamp and grants the client a service ticket.

Step 6:

The client decrypts the ticket & send ACK to TGS.

Step 7 (Fig. 5)

Figure : Service server decrypt key and check the time stamp

Client sends its own encrypted key to the service server.

The server decrypts the key and check timestamp is still valid or not.

Step 8: (Fig. 6)

Figure : For secret keys communication initiated 

The client decrypts the ticket. If the keys are still valid, communication is initiated between client and server. Now the client is authenticated until the session expires.

 

Is Kerberos symmetric or asymmetric?

Kerberos is capable of both symmetric and asymmetric cryptography.

 

Is Kerberos safe?

Kerberos is more secure than other authentication methods because it does not send plain text pass- words over the network and instead of password uses encrypted tickets.

To learn more about Kerberos Terminology & Working, Click here

   Watch more videos click here.