Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.
X
Post

Kerberos

Just putting up my notes, in case anyone cares.

Kerberos

An authorization system. There are three players in a Kerberos system; client, server and the trusted 3rd party.

Login

a. User requests access from Authentication server (AS).

b. If user exists, AS sends Client/Ticket Granting Server (TGS) Session Key and Ticket-Granting-Ticket (TGT).

(The Session Key is encrypted using the user’s hashed password; The TGT is encrypted by the TGS secret key)

c. The Session Key is decrypted by the user’s machine.

We are now authenticated with the Authentication Server.

I need service!

a. We send the TGT, service ID and an authenticator (Client ID/Timestamp) to the TGS.

  • (TGT is encrypted already; authenticator is encrypted by the Session ID)

b. The TGT is decrypted by the TGS. Using the session key, the TGS decrypts the authenticator.

  • The session ID is extracted from the TGT

c. The TGS returns a CST (Client/Server Ticket) & a Client/Server Session Key.

  • The CST has the client id, network addy, and length of validity, and the client/server session key. It is encrypted with the service secret key.
  • The C/S Session Key is encrypted using the C/TGS Session Key.

d. With these, the client can authenticate himself to the server. The encrypted CST and an Authenticator (with the client ID and timestamp) are sent.

  • The Authenticator is encrypted with the client/server session key.

e. Server returns the timestamp + 1, encrypted with the CS Session Key. Client translates and can use the server now.

November 24, 2008