• Home
  • InfoBase
  • Dictionaries
  • Member
  • News
    • 中文网站
     Advanced Search
    Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
    HomeProtocolsSecurity

    Kerberos: Network Authentication Protocol

    Kerberos is a network authentication protocol. Kerberos is designed to provide strong authentication for client/server applications by using secret-key cryptography. This is accomplished without relying on authentication by the host operating system, without basing trust on host addresses, without requiring physical security of all the hosts on the network, and under the assumption that packets traveling along the network can be read, modified, and inserted at will. Kerberos performs authentication under these conditions as a trusted third-party authentication service by using conventional cryptography, i.e., shared secret key.

    The authentication process proceeds as follows: A client sends a request to the authentication server (AS) requesting "credentials" for a given server. The AS responds with these credentials, encrypted in the client"s key. The credentials consist of 1) a "ticket" for the server and 2) a temporary encryption key (often called a "session key"). The client transmits the ticket (which contains the client"s identity and a copy of the session key, all encrypted in the server"s key) to the server. The session key (now shared by the client and server) is used to authenticate the client, and may optionally be used to authenticate the server. It may also be used to encrypt further communication between the two parties or to exchange a separate sub-session key to be used to encrypt further communication.

    The authentication exchanges mentioned above require read-only access to the Kerberos database. Sometimes, however, the entries in the database must be modified, such as when adding new principals or changing a principal"s key. This is done using a protocol between a client and a third Kerberos server, the Kerberos Administration Server (KADM). The administration protocol is not described in this document. There is also a protocol for maintaining multiple copies of the Kerberos database, but this can be considered an implementation detail and may vary to support different database technologies.

    Protocol Structure - Kerberos: Network Authentication Protocol

     

    Kerberos messages:

    The Client/Server Authentication Exchange
    Message direction Message type
    Client to Kerberos KRB_AS_REQ
    Kerberos to client KRB_AS_REP or KRB_ERROR
    The Client/Server Authentication Exchange
    Message direction Message type
    Client to Application server KRB_AP_REQa
    Application server to client KRB_AP_REP or KRB_ERROR
    The Ticket-Granting Service (TGS) Exchange
    Message direction Message type
    Client to Kerberos KRB_TGS_REQ
    Kerberos to client KRB_TGS_REP or KRB_ERROR
    The KRB_SAFE Exchange
    The KRB_PRIV Exchange
    The KRB_CRED Exchange

     Related protocols:RADIUS, TACACS+

    Sponsor Source:Kerberos is defined by MIT

    Reference:http://www.javvin.com/protocol/rfc1510.pdf: The Kerberos Network Authentication Service (V5)
    http://www.javvin.com/protocol/rfc1964.pdf: The Kerberos Version 5 GSS-API Mechanism
    http://web.mit.edu/kerberos/www/: Kerberos: The Network Authentication Protocol

    ‹ IPsec: Security Architecture for IP NetworkupL2F: Layer 2 Forwarding Protocol ›