The overview of Kerberos is shown and described below:
- User logs onto workstation and request on the host for TGT.
- AS verifies user’s access right to a database, creates ticket-granting ticket and session key. Results are encrypted using a key derived from user’s password.
- Workstation prompts the user for a password and uses the password to decrypt the incoming message, then sends ticket and authentication that contain user’s name, network address and time to TGS.
- TGS decrypts the ticket and authenticator, verifies request, then creates a ticket for requested server.
- Workstation sends ticket and authentication to the server.
- The server verifies that ticket and if the authenticator matches, then grant access to service. If mutual authentication is required, the server returns an authenticator.
- The figure shows the above exchange.
Kerberos Authentication Dialogue: Overview: Kerberos
- The following message exchanges take place for authentication through Kerberos: Authentication service exchange to obtain Ticket granting ticket (TGT)
- This exchange takes place only once per a user logon session.
- User obtains a Ticket Granting Ticket from the authentication server. This ticket is sent to the Ticket Granting Server to obtain service tickets.
C → AS: IDc || IDtgs || TS1
AS → C: E(Kc, [Kc, tgs || IDtgs || TS2 || Lifetime2 || Tickettgs])
Tickettgs = E(Ktgs, [Kc, tgs || IDC || ADC ||IDtgs || TS2 || Lifetime2])
Ticket-Granting service exchange to obtain Service Granting Ticket
- This exchange takes place for each type of service.
- Here, the user presents the TGT to the ticket granting server. The TGS returns a Service Granting Ticket to the user after proper authentication.
- Moreover, An authenticator is added in the message which is encrypted using the key shared by the user and TGS
C → TGS: IDv || Tickettgs || Authenticatorc
TGS → C: E(Kc, tgs, [Kc, v || IDV || TS4 || Lifetime4 || Ticketv])
Ticketv = E(Kv, [Kc, v || IDC || ADC ||IDV || TS4 || Lifetime4])
Authenticatorc = E(Kc, tgs, [IDC ||ADC || TS3])
Client-Server authentication exchange to obtain service: Overview: Kerberos
- The user sends the Service Granting Ticket to the application server (of which the service needed).
- Moreover, The message also contains authenticator which proves the sender’s identity to the server. Moreover, the server replies with the timestamp present in the authenticator. This authenticates the server to the user.
C → V: Ticketv || Authenticatorc
V → C: E(Kc, v, TS5 +1)
Authenticatorc = E(Kc, v, [IDC ||ADC || TS5])
Kerberos Realm [Overview: Kerberos]
- A Kerberos realm a set of managed nodes that share the same Kerberos database.
- The Kerberos database resides on the Kerberos master computer system, which should kept in a physically secure room.
- A read-only copy of the Kerberos database might also reside on other Kerberos computer systems.
- However, all changes to the database must make on the master computer system using Kerberos master password.
- Moreover, A Kerberos principal a service or user that known to the Kerberos system. Each Kerberos principal identified by its principal name.
- Networks of clients and servers under different administrative organizations constitute different realms.
- For inter-realm communication, the Kerberos servers in the two realms must authenticated and registered to each other.
- Moreover, A user wishing service on a server in another realm obtains a ticket for that server as given below:
- C →AS: IDc||IDtgs||TS1
- AS→ C: E(Kc, [Kc,tgs||IDtgs||TS2||Lifetime2||Tickettgs]
- C→ TGS: IDtgsrem||Tickettgs||Authenticatorc
- TGS→ C: E(Kc,tgs, [Kc,tgsrem||IDtgsrem||TS4||Tickettgsrem])
- C→ TGSrem: IDvrem||Tickettgsrem||Authenticatorc
- TGSrem→ C: E(Kc,tgsrem , [Kc,vrem||IDvrem||TS6||Ticketvrem])
- C→ Vvrem: Ticketvrem||Authenticatorc where IDtgsrem is the identity of remote TGS, Tickettgsrem is the TGT for remote TGS,
- IDvrem is the identity of remote server and Ticketvrem is the Service granting ticket for remote server.