Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Kerberos Authentication Protocol

Kerberos is an authentication protocol developed by MIT (Massachusetts Institute of Technology), which allows computers communicating over a non-secure network to prove their identity to one another. It uses the symmetric Needham-Schroeder protocol. Kerberos provides mutual authentication; both the clent and the server verify each other's identity.

Kerberos is a suite of free software . It uses symmetric key cryptography which requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication. Kerberos uses port 88 by default. Windows 2000 and later use Kerberos as their default authentication method.

Kerberos uses a trusted third party, called a key distribution center (KDC), which consists of two parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). It uses "tickets" which serve to prove the identity of users.

The KDC maintains a database of secret keys; client or server on the network shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove an entity's identity. For communication between two computers, the KDC generates a session key which they can use to secure their interactions.

The security of the protocol relies heavily on participants maintaining loosely synchronized time and on short-lived assertions of authenticity called Kerberos tickets.

How Kerberos Works

Client authenticates itself to the AS

1. The client authenticates itself to the Authentication Server.

Client receives a time-stamped ticket

2. The client receives a time-stamped ticket from the Authentication Server.

The client uses the ticket to demonstrates its identity and ask for a service.

3. The client contacts the Ticket Granting Server (TGS), and using the ticket it demonstrates its identity and asks for a service.

Ticket Granting Server sends another ticket to the client.

4. If the client is eligible for the service, then the Ticket Granting Server sends another ticket to the client.

The client contacts the Service Server and uses the ticket to proves that it has been approved to receive the service.

5. The client then contacts the Service Server (SS) , and using this ticket it proves that it has been approved to receive the service.

Comunication is initiated between client and Service Server

6. Comunication is then initiated between the client and the Service Server.

The client authenticates to the AS once using a long-term shared secret (e.g. a password) and receives a Ticket to Get Ticket (TGT) from the AS. Later, when the client wants to contact the same SS, it can (re)use this ticket to get additional tickets from TGS, for SS, without resorting to using the shared secret. These tickets can be used to prove authentication to SS.

One problem with Kerberos is that it requires continuous availability of a Kerberos server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms.

Another problem is that Kerberos has strict time requirements, which means the clocks of the involved hosts must be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration requires that clock times are no more than five minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized.

More Networking Protocols and Standards:
• Kerberos Authentication Protocol
• VTP (VLAN Trunking Protocol)
• IP Addressing
• Classless IP Addressing
• IPv6 Prefix Length Notation
• IP Addressing and Subnetting
• Network Gateways
• The OSI Reference Model
• Internet Security and VPN Network Design
• The OSI Session Layer

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro

Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268