Kerberos is a network authentication protocol. Kerberos is designed to provide strong authentication for client/server applications by using secret-key cryptography. This is accomplished without relying on authentication by the host operating system, without basing trust on host addresses, without requiring physical security of all the hosts on the network, and under the assumption that packets traveling along the network can be read, modified, and inserted at will. Kerberos performs authentication under these conditions as a trusted third-party authentication service by using conventional cryptography, i.e., shared secret key.
The authentication process proceeds as follows: A client sends a request to the authentication server (AS) requesting "credentials" for a given server. The AS responds with these credentials, encrypted in the client's key. The credentials consist of 1) a "ticket" for the server and 2) a temporary encryption key (often called a "session key"). The client transmits the ticket (which contains the client's identity and a copy of the session key, all encrypted in the server's key) to the server. The session key (now shared by the client and server) is used to authenticate the client, and may optionally be used to authenticate the server. It may also be used to encrypt further communication between the two parties or to exchange a separate sub-session key to be used to encrypt further communication.
The authentication exchanges mentioned above require read-only access to the Kerberos database. Sometimes, however, the entries in the database must be modified, such as when adding new principals or changing a principal"s key. This is done using a protocol between a client and a third Kerberos server, the Kerberos Administration Server (KADM). The administration protocol is not described in this document. There is also a protocol for maintaining multiple copies of the Kerberos database, but this can be considered an implementation detail and may vary to support different database technologies.
Protocol Structure
Kerberos messages:
The Client/Server Authentication Exchange
| Message direction | Message type |
| Client to Kerberos | KRB_AS_REQ |
| Kerberos to client | KRB_AS_REP or KRB_ERROR |
The Client/Server Authentication Exchange
| Message direction | Message type |
| Client to Application server | KRB_AP_REQa |
| Application server to client | KRB_AP_REP or KRB_ERROR |
The Ticket-Granting Service (TGS) Exchange
| Message direction | Message type |
| Client to Kerberos | KRB_TGS_REQ |
| Kerberos to client | KRB_TGS_REP or KRB_ERROR |
The KRB_SAFE Exchange
The KRB_PRIV Exchange
The KRB_CRED Exchange
Related protocols: RADIUS, TACACS+
Sponsor Source: Kerberos is defined by MIT
Reference:
http://www.javvin.com/protocol/rfc1510.pdf: The Kerberos Network Authentication Service (V5)
http://www.javvin.com/protocol/rfc1964.pdf: The Kerberos Version 5 GSS-API Mechanism
http://web.mit.edu/kerberos/www/: Kerberos: The Network Authentication Protocol