What is kerberos?
Kerberos is a network authentication protocol which utilizes symmetric cryptography to provide authentication for client-server applications. It was developed by MIT, Massachusetts Institute of Technology. It increased in popularity over the last couple of years and is the default in modern Windows OS networks. Version 4 still runs in many networks, but V5 is considered to be standard Kerberos. Kerberos uses strong cryptography, DES, to provide secure method for carrying authentication data on an open network. There are three primary elements in a Kerberos system:
1. Client, which is the Kerberos client application representing a principal computer or user or software application.
2. Target server, provides the service the client wants to access.
3. KDC, Key Distribution Center, handles the distribution of keys and tickets.
How kerberos works?
A complete Kerberos authentication process involves three major steps in which a series of encrypted messages are exchanged:
1. Authentication Service (AS) Exchange - When the client logs on, the KDC issues a logon session key and a Ticket-Granting Ticket to the client, after the KDC has verified the client's encrypted user credentials.
2. Ticket-Granting Service (TGS) Exchange - The client utilizes the TGT and the logon session key to request a new session key and ticket to be used between the client and the target server.
3. Client-Server (CS) Exchange - The client sends the new ticket, including the new session key, to the target server to authenticate itself and to provide the target server with the session key. Optionally, the target server uses the new session key to authenticate itself to the client.
The session keys are used to secure the communication between the client and the KDC, or the client and the target server. The tickets are encrypted by the KDC with the master key of the KDC, in case of a Ticket-Granting Ticket, or with the master key of the target server, in case of a Ticket for the target server. The tickets are used to distribute the session keys.
In addition to Kerberos being relatively secure, another major advantage is that it lends itself for Single Sign On because of it's distributed character. Single Sign On allows a user to logon only once and be able to access all different resources in the network, such as e-mail, file servers, Intranet, etc.
