- Forward


Kerberos
An Introduction


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu

Print

Overview
Back SMYC Forward
  • Purpose:
    • A means of verifying the identities of devices on an unprotected network (i.e., a network in which packets can be read, modified, and inserted at will)
  • Kerberos Does Not:
    • Rely on assertions by the host operating system
    • Require trust of host addresses
    • Require physical security of all the hosts on the network
History
Back SMYC Forward
  • MIT's Project Athena:
    • Version's 1-3 were developed internally
    • Version 4 was published in the late 1980s
    • Version 5 was released as RFC 1510
    • ( A Dialogue in Four Scenes)
  • About the Name:
    • Kerberos/Cerberus is the three-headed dog that guards Hades
  • Current Specification:
    • RFC 4120
    • RFC 4121
Participants in the Process
Back SMYC Forward
  • The Client
  • The Server
  • The Key Distribution Center (KDC)
    • The Authentication Server (AS)
    • The Ticket-Granting Server (TGS)
The Process (Simplified)
Back SMYC Forward
  1. Client sends a request (AS_REQ) to the AS for "credentials" for a given server
  2. The AS response (AS_REP) contains a TGS session key (encrypted using the client's public key) and a ticket-granting ticket (TGT) (encrypted using the TGS's private key)
  3. The client transmits a service request (TGS_REQ) that includes the TGT to a ticket granting server (encrypted using the TGS session key)
  4. The TGS response (TGS_REP) contains a ticket (encrypted using the server's symmetric key) that can be sent to the server for a particular service
  5. The client sends a service request (AP_REQ) that includes the ticket to the server
  6. The server responds (AP_REP)
Contents of Tickets
Back SMYC Forward
  • Name of Principal
  • Expiration Time
Types of Tickets
Back SMYC Forward
  • Initial Ticket (obtained from the AS)
  • Renewable Ticket (can be resubmitted to the KDC for renewal)
  • Forwardable Ticket
Shortcomings
Back SMYC Forward
  • Requires a secure central server
  • Has a single point of failure
There's Always More to Learn
Back -