Kerberos Authentication: A Quick Explanation
--
Lately, I have been studying network protocols and authentication schemes in my free time. In order to get a deeper grasp on Kerberos, I figured what better method than trying to explain it in a Medium article. While it may not be super in-depth or advanced, I figured this would be a good executive summary or debrief for anyone looking for an easy explanation on the authentication service and how it is used.
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography
Acronyms
- TGT — Ticket Granting Ticket
- TGS — Ticket Granting Service
- KDC — Key Distribution Center
Quick and Easy Explanation
I had quite a difficult time finding a bare-bones, easy to understand explanation of Kerberos Authentication, so I figured I would diagram it out and describe the process.
Authenticating to the environment:
- Host requests the TGT from the KDC with proper authentication
2. KDC returns an encrypted TGT using the TGS and a valid session key to the requesting host
3. Client stores the encrypted TGT for use in the environment
Authenticating to a resource in the environment:
- Once the user is authenticated in the environment with the TGT from the KDC, it will send its current TGT to the TGS and request access to a resource
2. The KDC will verify the TGT and if the user has access to the requested resource.
3. If verified, the TGS sends a valid session key for the resource back to the client
4. Client uses the valid session key for access to the resource.
Everything in this article is subject to edits and corrections if I find out I did something incorrectly. :)
Kerberos was created by a brilliant team over at MIT. Here’s the link:
