Kerberos Authentication is a means by which a communicating entity on a non-secure network can prove itself to another entity about its identity in a secured way.
In a system developed for a client-server model, it is inconceivable to identify the threat posed by the network users and the intruders.
Primary goal of Kerberos Authentication System is to prevent free text based transmission of passwords over the network.
Kerberos was created by MIT with a license similar to BSD and the current version is Version 5. It is implemented across various OS – Linux, Unix, Windows, MacOS.
Kerberos system is built on a symmetric key algorithm.
How the Kerberos system works?
Indicators:
– User1 on Workstation WS
– Key Distribution Center (KDC)
– Ticket Granting Service (TGS)
– Ticket Granting Ticket (TGT)
Logical Kerberos Database:
User1 : Key1
User2 : Key2
Service1 : Key3
User3 : Key4
Keys for users are derived from User’s password.
Kerberos Communication Flow
1) User1 logs into the network from work station WS
2) Principal is sent to Key Distribution Center KDC
3) KDC checks its database for User1 and generates TGT if User1 is present in its database. TGT is encrypted with Key1 (key that is derived from users password)
4) TGT is sent to WS from KDC
5) In the workstation WS, the key is decrypted with the password entered from WS in order to derive the TGT. TGT is session based and is set to expire after its time limit.
For a Service that runs on a network, the client requests the TGT from Ticket Granting Service (TGS) which may run on the same server as KDC.
