Kerberos performs a ticket management that allows users to prove their identity and get the keys for a particular service, these keys allow to two entities interact safely. This requires that the protocol perform a proper management of different databases in order to identify users, while maintaining another database of secret keys to assign to each entity, either client or server.
Figure # 2 shows the produced messages flow by the Kerberos protocol, which clearly sees the contained information in each sent message between the different entities involved in the key exchange. It should be clarified that the previous communication that should be established between the client and the AS, which gives the user name and password entered by the user on the client, is not shown. However, the ticket management is quite clear.
When the client makes a request to the AS, the AS responds with two messages: the first sends the encrypted key that the client will share with the TGS, and the second packet should be forwarded to the TGS, this package cannot be decrypted by the client and contains information about the validation made by the AS.
Then, the client sends two messages to the TGS: in the first message forwards the packet that has been received from the AS, adding the type of the requested service and the second message is an authenticator which is encrypted with the key generated by the AS for the communication between client and TGS.
Now, the TGS responds to the client with the key that will be sharing with the requested service server and a ticket that only this server can decrypt and that the customer must forward. The client forwards the ticket to the service server and also an authenticator encrypted with the provided key by the TGS for the communication, so that, the communication between client and service can be performed in encrypted form with that key.
Figure # 2: Message Exchange of the Kerberos protocol.
- William Stallings. Fundamentals of Network Security: Applications and Standards, Second Edition. Pearson Education. 2004.