Kerberos: Network Authentication Protocol

Kerberos is a network authentication protocol. Kerberos is designed to provide strong authentication for client/server applications by using secret-key cryptography. This is accomplished without relying on authentication by the host operating system, without basing trust on host addresses, without requiring physical security of all the hosts on the network, and under the assumption that packets traveling along the network can be read, modified, and inserted at will. Kerberos performs authentication under these conditions as a trusted third-party authentication service by using conventional cryptography, i.e., shared secret key.  

The authentication process proceeds as follows: A client sends a request to the authentication server (AS) requesting "credentials" for a given server. The AS responds with these credentials, encrypted in the client's key. The credentials consist of 1) a "ticket" for the server and 2) a temporary encryption key (often called a "session key"). The client transmits the ticket (which contains the client's identity and a copy of the session key, all encrypted in the server's key) to the server. The session key (now shared by the client and server) is used to authenticate the client, and may optionally be used to authenticate the server. It may also be used to encrypt further communication between the two parties or to exchange a separate sub-session key to be used to encrypt further communication.

The authentication exchanges mentioned above require read-only access to the Kerberos database. Sometimes, however, the entries in the database must be modified, such as when adding new principals or changing a principal's key. This is done using a protocol between a client and a third Kerberos server, the Kerberos Administration Server (KADM). The administration protocol is not described in this document. There is also a protocol for maintaining multiple copies of the Kerberos database, but this can be considered an implementation detail and may vary to support different database technologies.

Protocol Structure - Kerberos: Network Authentication Protocol

Kerberos messages:

The Client/Server Authentication Exchange

Message directionMessage type

1. Client to Kerberos  KRB_AS_REQ

2. Kerberos to client  KRB_AS_REP or KRB_ERROR

The Client/Server Authentication Exchange

Message directionMessage type

Client to Application server  KRB_AP_REQ 

Application server to client  KRB_AP_REP or KRB_ERROR

The Ticket-Granting Service (TGS) Exchange

Message direction Message type 

1. Client to Kerberos KRB_TGS_REQ 

  2. Kerberos to client KRB_TGS_REP or KRB_ERROR

The KRB_SAFE Exchange

The KRB_PRIV Exchange

The KRB_CRED Exchange

Related Protocols
 RADIUS , TACACS+

Sponsor Source

Kerberos is defined by MIT.

http://www.javvin.com/protocol/rfc1510.pdf : The Kerberos Network Authentication Service (V5)  
http://www.javvin.com/protocol/rfc1964.pdf : The Kerberos Version 5 GSS-API Mechanism  
http://web.mit.edu/kerberos/www/ : Kerberos: The Network Authentication Protocol