In the context of computing, Kerberos is an authentication protocol that assumes a physically nontrusted network. The most common view is that the heads represent the client, application server, and trusted third party. Kerberos addresses when a client wants to use a service of an application server. Secure applications require that the requester provide proof of identity across the network in a way that can’t be intercepted and then be used to impersonate the valid user.
The Kerberos protocol and the trusted Kerberos server are the center of this secure authentication. Strong symmetric key cryptography is used to protect the data sent between the client and application. The earliest versions of Kerberos were created as an integral part of MIT’s Project Athena. The fourth version of the protocol was broken out of the greater project and made available to other exploiters as Kerberos. The implementation discussed in this article is based on Version 5, which is the latest.
The following terms are key to understanding Kerberos:
• Key DiStriBution center (KDc) is the trusted third party that contains all definitions and creates all tickets. The KDC is comprised of two parts, the authentication server and the ticket granting server.
• Principal is any entity that’s defined to the KDC. This includes users, services, and trust relationships with other Kerberos servers.
• Realm is the domain of the KDC, which contains all principal definitions.
• Ticket is an encrypted authentication token used to assert the identity of the requester. It contains information regarding the user and application along with expiration data, so it can be used only for a pre-determined time. There are two types of tickets, Ticket Granting Tickets (TGTs) that assert the user’s identity, and service tickets that assert the user’s identity to a specific service.
• Authentication Server (AS) is the part of the KDC that authenticates user principals and issues TGTs. A session key is generated for communication between the client and the Ticket Granting Server (TGS), which upon validating a TGT will generate a session key to cover the communication between the client and service and issue a service ticket.
• Kerberos Database (KDB) contains all data related to the realm.