Kerberos Authentication Protocol

Introduction – Kerberos is a three way authentication protocol first discussed at MIT in the late 70’s. It is named from the fantasy dog Cerberus, the guardian of the gates of the underworld. It is used to secure transactions between a client and a server by using a secret key encryption scheme provided by a dedicated Kerberos server.

Operation – A Kerberos-enabled client starts a session by requesting a set of "tickets" from the Kerberos server. The request is encrypted using a hashed version of the user’s password. If this succeeds the Kerberos server grants the client a set of "tickets" to be used in establishing secure conections.

In order for a client to make a secure connection to a server both the server and the client must have a new encryption key for that session. The session begins by the client using one of the "tickets" to request that the Kerberos server set up a secure connection thus eliminating the need for the sending of passwords. The Kerberos server than creates an encryption key and sends it back to the client, along with a server-specific hashed password (which cannot be decrypted by the client).

The Kerberos server then sends the desired server the new encryption key, the clients specific information, and the time to live of the key. The client then uses the key to encrypt a timestamp and then sends it, along with the server specific password, to the desired server. If the timestamp is recent (and valid) and the password is correct, than the session begins using the shared encryption key. After a secure session is established the client and server can automatically update the encryption key if its time to live is exceeded. This all takes place automatically and the end user may never know that any encryption was taking place.

Use – Kerberos can be used to encrypt a variety of network sessions. Mostly it is used during a telnet session, but it can also be used for email sessions.