Kerberos

Definition

Kerberos is a Single Sign On (SSO) type authentication protocol based on a mechanism of secret keys (symmetrical encryption) and the exchange of tickets.
Kerberos is the default Microsoft Windows Domains authentication service.

Goal

The purpose of Kerberos is to authenticate once with KDC (central server).

Advantage

Avoid transitivity of passwords in the network.

Terminologies

TGT (Ticket Granting Ticket) : is an authentication ticket for requesting service tickets from the TGS.

KDC (Key Distribution Center) : is a service for issuing TGTs and service tickets.

AS (Authentication Service) : issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets.

TGS (Ticket Granting Service) : takes TGT and sends a ticket back to a machine in the domain.

SPN (Service Principal Name) : is an identifier given to a service instance to associate a service instance with a domain service account.

Session Key : issued by the KDC when a TGT is issued.

Kerberos protocol scenario

Kerberos scenario

1- Request TGT : The client requests an TGT or Authentication Ticket.

2- TGT + Session key : The KDC verifies the client and sends back an encrypted TGT.

3- Request Ticket + Auth: The client sends the encrypted TGT to the TGS with the SPN of the service the client wants to access.

4- Ticket + Session key: The KDC verifies the TGT of the user and that the user has access to the service, then sends a valid session key for the service to the client.

5- Request Service + Auth : The client requests the service and sends the valid session key to prove the user has access.

6- Server Authentication : The service grants access.