Kerberos

Kerberos
An Introduction

Prof. David Bernstein
James Madison University

Computer Science Department

bernstdh@jmu.edu

Overview

Purpose:
- A means of verifying the identities of devices on an unprotected network (i.e., a network in which packets can be read, modified, and inserted at will)
Kerberos Does Not:
- Rely on assertions by the host operating system
- Require trust of host addresses
- Require physical security of all the hosts on the network

History

MIT's Project Athena:
- Version's 1-3 were developed internally
- Version 4 was published in the late 1980s
- Version 5 was released as RFC 1510
- ( A Dialogue in Four Scenes)
About the Name:
- Kerberos/Cerberus is the three-headed dog that guards Hades
Current Specification:
- RFC 4120
- RFC 4121

Participants in the Process

The Client
The Server
The Key Distribution Center (KDC)
- The Authentication Server (AS)
- The Ticket-Granting Server (TGS)

The Process (Simplified)

Client sends a request (AS_REQ) to the AS for "credentials" for a given server
The AS response (AS_REP) contains a TGS session key (encrypted using the client's public key) and a ticket-granting ticket (TGT) (encrypted using the TGS's private key)
The client transmits a service request (TGS_REQ) that includes the TGT to a ticket granting server (encrypted using the TGS session key)
The TGS response (TGS_REP) contains a ticket (encrypted using the server's symmetric key) that can be sent to the server for a particular service
The client sends a service request (AP_REQ) that includes the ticket to the server
The server responds (AP_REP)

Contents of Tickets

Types of Tickets

Shortcomings