Kerberos protocol operation

08 September 2014
Published in Security

The authentication protocol Kerberos allows a number of computers to prove their identity among them safely over an insecure network. The operation of the protocol is based on the Needham-Schroeder protocol, which defines a ''trusted third party'' called Key Distribution Center (KDC). William Stallings in his book Fundamentals of Network Security: Applications and Standards, Second Edition (p.394) defines a KDC as follows:

Authorized system to transmit temporary session key for users. Each session key is transmitted encrypted using a master key that the Key Distribution Center shares with the target user.

The KDC can be seen as a set of two logic stages: an authentication server (AS) and an ticket granting server (TGS). The AS has the function to identify each user, validate their identity and give the client a key that allows to communicate with the TGS. Furthermore, the TGS is the responsible server for checking that the client possesses the authentication ticket and provides a key to the user that allows access to the requested services. This scenario is shown in Figure # 1.



Figure # 1: Components and communication flow of Kerberos protocol.