Kerberos is a protocol for strong authentication in a network environment originally developed as a part of the Project Athena at the Massachusetts Institute of Technology. Neuman and Ts'o give a more complete overview of Kerberos in [NT94]. The detailed and rather lengthy official specification is published as an Internet RFC [KN93].
The core entity in a Kerberos system is the Authentication Server, AS. A principal who wishes to use Kerberos services needs to share a secret key with the AS. The set of principals that are serviced by one authentication server is called a Kerberos realm.
When a client wants to authenticate its identity to some service provider it acquires a set of credentials from the authentication server. In Kerberos terminology, the set of credentials is called a ticket.
Figure 7.2: Basic Kerberos authentication
Figure 7.2 contains a schematic illustration of the Kerberos message exchange. When requesting a ticket, the client presents its own name to the authentication server together with the name of the service to which it wants a ticket. In response, the AS generates a reply that contains two parts, the first part contains information to be used by the client and the second part is the ticket that is to be passed on to the service. The client part is encrypted using the key shared between the AS and the client while the ticket is encrypted using the key shared between the AS and the service. Both the client information and the ticket contain a randomly generated session key for use in communications between the client and the service.
When the client initiates communications with the server, it encrypts the message using the session key obtained from the authentication server. The client also forwards the server ticket. Upon receipt of the ticket and encrypted message, the server decrypts the ticket to learn the identity of the client and to extract the session key. The session key is then used to decrypt the client message. If the server can successfully decipher the client message, it has also established the identity of the client, as the only other entity that has access to the session key is the client to whom the ticket was issued.
Sometimes, the client, too, wants to ascertain the identity of the server. To accomplish this, the client includes a random challenge in the original message. The server proves it is in possession of the session key by returning to the client the challenge encrypted under the session key. As the original client message contains more information than the challenge, the server must possess the session key in order to decrypt the message before the challenge can be extracted.
A Kerberos client is often a system user. The secret key shared between a user and the authentication server is most commonly derived from a pass phrase known by the user. When the secret key is needed, it is generated from the pass phrase. However, it is undesirable to keep the secret key stored in the client for any longer than necessary. It is also inconvenient for the user to have to supply a pass phrase each time a new ticket is needed. To solve these problems, Kerberos uses a special server called the Ticket-granting Server (TGS).
As the name implies, the TGS grants tickets to clients. In order to use the TGS, a client must first obtain a ticket-granting ticket (TGT) for the TGS from the authentication server. However, once the TGT has been obtained, and a session key has been established between the client and the TGS, the client secret key is no longer needed, and can be forgotten. For further ticket requests, the client can use the TGS. The identity of the client is proven to the TGS through possession of the session key.