Kerberos protocol operation

08 September 2014 Written by 
Rate this item
(0 votes)

The authentication protocol Kerberos allows a number of computers to prove their identity among them safely over an insecure network. The operation of the protocol is based on the Needham-Schroeder protocol, which defines a ''trusted third party'' called Key Distribution Center (KDC). William Stallings in his book Fundamentals of Network Security: Applications and Standards, Second Edition (p.394) defines a KDC as follows:

Authorized system to transmit temporary session key for users. Each session key is transmitted encrypted using a master key that the Key Distribution Center shares with the target user.

The KDC can be seen as a set of two logic stages: an authentication server (AS) and an ticket granting server (TGS). The AS has the function to identify each user, validate their identity and give the client a key that allows to communicate with the TGS. Furthermore, the TGS is the responsible server for checking that the client possesses the authentication ticket and provides a key to the user that allows access to the requested services. This scenario is shown in Figure # 1.



Figure # 1: Components and communication flow of Kerberos protocol.

Kerberos performs a ticket management that allows users to prove their identity and get the keys for a particular service, these keys allow to two entities interact safely. This requires that the protocol perform a proper management of different databases in order to identify users, while maintaining another database of secret keys to assign to each entity, either client or server.

Figure # 2 shows the produced messages flow by the Kerberos protocol, which clearly sees the contained information in each sent message between the different entities involved in the key exchange. It should be clarified that the previous communication that should be established between the client and the AS, which gives the user name and password entered by the user on the client, is not shown. However, the ticket management is quite clear.

When the client makes a request to the AS, the AS responds with two messages: the first sends the encrypted key that the client will share with the TGS, and the second packet should be forwarded to the TGS, this package cannot be decrypted by the client and contains information about the validation made by the AS.

Then, the client sends two messages to the TGS: in the first message forwards the packet that has been received from the AS, adding the type of the requested service and the second message is an authenticator which is encrypted with the key generated by the AS for the communication between client and TGS.

Now, the TGS responds to the client with the key that will be sharing with the requested service server and a ticket that only this server can decrypt and that the customer must forward. The client forwards the ticket to the service server and also an authenticator encrypted with the provided key by the TGS for the communication, so that, the communication between client and service can be performed in encrypted form with that key.


Figure # 2: Message Exchange of the Kerberos protocol.



  1. William Stallings. Fundamentals of Network Security: Applications and Standards, Second Edition. Pearson Education. 2004.


10451 Last modified on Tuesday, 15 October 2019 21:20
More in this category:
Luis Sequeira

Luis Sequeira is an IT professional with experience in cloud environments, quality of service and network traffic analysis, who loves looking for solutions to engineering challenges, share knowledge. At work, the main challenge is to integrate different network and software technologies to provide solution in a wide range of areas, e.g., virtual network functions, machine learning, autonomous driving, robotics and augmented reality.



  • Brustverkleinerung Kosten Comment Link
    Brustverkleinerung Kosten 26 January 2015, 21:12
    bookmarked!!, I really like your site!
  • how to get a google plus account Comment Link
    I know this website presents quality depending articles and additional information, is there any other site which gives such stuff in quality?
  • restaurants near mexican town detroit Comment Link
    Hi, of course this article is genuinely good and I have learned lot of things from it
    about blogging. thanks.
  • m88 Comment Link
    m88 10 June 2015, 03:24
    I was suggested this website by my cousin. I'm not sure whether this poszt is written by
    him as nobody else know such detailed about myy difficulty.

    You are amazing! Thanks!
  • Kathi Comment Link
    Kathi 12 June 2015, 11:38
    I will right away seize your rss feed as I can't in finding your email subscription link or e-newsletter service.

    Do you have any? Please allow me recognhise in order that I maay
    just subscribe. Thanks.
  • m88a Comment Link
    m88a 12 June 2015, 14:59
    There's definately a lot to know about this subject. Ireally like all of the points you have made.
  • m88 Comment Link
    m88 19 June 2015, 11:24
    I believe this is onee of the such a lot vital info for me.
    And i am haply studying your article. But should remark on some general issues,
    The web site style is perfect, the artcles is actually excellent : D.
    Good task, cheers
  • Comment Link 21 June 2015, 00:04
    Heya i am for tthe first time here. I found this board and
    I find It truly useful & it helped me out a lot. I hope to give one thing
    back and help others such as you helped me.
  • Comment Link 21 June 2015, 01:16
    Hey I know this is off topic but I was wondering if you knew
    of any widgets I could add to my blog that automatically tweet my newest twitter
    updates. I've been looking for a plug-in like this
    for quite some time and was hoping maybe you would have some experience
    with something like this. Please let me know if you run into anything.
    I truly enjoy reading your blog and I look forward to your new updates.
  • facebook login Comment Link
    facebook login 03 July 2015, 18:46
    If you can find yourself using Facebook excessive,
    account deactivation can be an easy solution to temporarily stop
    yourself from using the website. Make it easy for anyone
    with similar interests to locate your.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.