kerberos

Description

History

based on the earlier Needham–Schroeder symmetric key protocol

Several versions of the protocol exist; versions 1–3 occurred only internally at MIT.

MIT developed Kerberos to protect network services

the Internet Engineering Task Force (IETF) Kerberos working group updated specifications

The KDC issues a ticket-granting ticket which is time stamped and encrypts it using the ticket-granting service's

The client authenticates itself to the Authentication Server which forwards the username to a key distribution center

Encryption and Checksum Specifications

Advanced Encryption Standard (AES) Encryption for Kerberos 5

A new edition of the Kerberos V5 specification "The Kerberos Network Authentication Service

A new edition of the Generic Security Services Application Program Interface

MIT makes an implementation of Kerberos freely available

This is done infrequently, typically at user logon

returns the encrypted result to the user's workstation

Protocol Description

User Client-based Logon

A user enters a username and password on the client machine(s)

The client transforms the password into the key of a symmetric cipher

Client Authentication

Client Service Authorization

Client Service Request

client sends a cleartext message of the user ID to the AS requesting services on behalf of the user

AS checks to see if the client is in its database

When requesting services, the client sends the following messages to the TGS

Upon receiving messages C and D, the TGS retrieves message B out of message C

Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the Service Server (SS)

The SS decrypts the ticket (message E) using its own secret key to retrieve the Client/Server Session Key

Once the client receives messages A and B, it attempts to decrypt message A with the secret key generated from the password entered by the user.

Message C: Composed of the TGT from message B and the ID of the requested service

Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key

client decrypts the confirmation (message H) using the Client/Server Session Key and checks whether the timestamp is correct

server provides the requested services to the client