Kerberos is a protocol utilising #Symmetric Cryptography to provide Security Service# in Application Layer#. It is done by authenticate the user in order to gain temporary access to internal or remote resources. There are currently two versions of Kerberos implementation: Version 4# and Version 5#. Regardless of the version, three components make up the structure of Kerberos which is used to guard the network: Authentication#, Accounting and Auditing. It has two main components servers: Authentication Server and Ticket Granting Server.
There are four requirements for Kerberos. First, it needs to be secure so that the eavesdropper# will not obtain enough information for impersonation. Second, it must be highly reliable where there is at least one system able to back up another (typically in a distributed server architecture). Third, the Authentication# should be transparent that is the user should not aware that the authentication is taking place beyond the need to enter a password. Last but not least, it should be scalable so that it is capable of supporting large numbers of clients and servers.
Note: Scalability is not only a software problem, but also a hardware one. If the configuration for the server is correct, but the system still cannot scale, there is a high possibility that the hardware doesn’t support large scale deployment.
Authentication Server (AS)
Authentication Server will verify if the user is valid in the local network upon request (to avoid impersonation#). If it is, then the server will send two encrypted messages that is encrypted with a secret key which is derived from the user’s own password (which is vulnerable to password attacks):
- A message that contains the session key for the user to talk to the Ticket Granting Server (the process is called service grant) which can only be read by the Authentication Server and the user who is making the request (shared long term secret key between AS and the user).
- A message that contains the information about the session key which only can be read by the Authentication Server and the Ticket Granting Server (shared long term secret key between AS and TGS). 1
Note: The secret key will be shared with servers. It is either distributed physically or in some secure channel.
Ticket Granting Server (TGS)
After successfully attempt on decrypting the first message sent by AS using the secret key generated by the user’s input password, the user will then send its request to access a certain resource, which is encrypted using the session key, to the Ticket Granting Server alongside with the ticket granting ticket.
TGS will then decrypt the ticket granting ticket to obtain the session key and the information about it. This newly obtained session key will then be used to verify the user’s request message and decrypt it to read the request. If the user has the permission to access the requested resource, it will then send two messages that are similar to what Authentication Server sent: the first message about the session key to talk to the resource server which can only be read by itself and the user (encrypted using the newly shared session key), and the second message which can only be read by itself and the resource server (encrypted by long term secret key shared between them).
Thereon, the user will obtain its session key to talk to the corresponding resource server and a ticket to verify its authentication. After the user has forwarded the request and the ticket, if the resource server could authenticate the ticket and successfully decrypt the message sent by the user, the user will finally have the access to the resource without any middleman.
Note: The lifetime of the session key should not be too long or too short. If the lifetime is too long, it is vulnerable to Replay Attack# which will be used by the intruder to access the services. The lifetime should not be too as to avoid asking password too frequently.
Depending on the versions of the Kerberos protocol, it has slight differing variables in influencing what information has been in the encrypted messages. See Kerberos Version 4#.