Kerberos protocol operation

08 September 2014 Written by 
Rate this item
(0 votes)

The authentication protocol Kerberos allows a number of computers to prove their identity among them safely over an insecure network. The operation of the protocol is based on the Needham-Schroeder protocol, which defines a ''trusted third party'' called Key Distribution Center (KDC). William Stallings in his book Fundamentals of Network Security: Applications and Standards, Second Edition (p.394) defines a KDC as follows:

Authorized system to transmit temporary session key for users. Each session key is transmitted encrypted using a master key that the Key Distribution Center shares with the target user.

The KDC can be seen as a set of two logic stages: an authentication server (AS) and an ticket granting server (TGS). The AS has the function to identify each user, validate their identity and give the client a key that allows to communicate with the TGS. Furthermore, the TGS is the responsible server for checking that the client possesses the authentication ticket and provides a key to the user that allows access to the requested services. This scenario is shown in Figure # 1.



Figure # 1: Components and communication flow of Kerberos protocol.

Kerberos performs a ticket management that allows users to prove their identity and get the keys for a particular service, these keys allow to two entities interact safely. This requires that the protocol perform a proper management of different databases in order to identify users, while maintaining another database of secret keys to assign to each entity, either client or server.

Figure # 2 shows the produced messages flow by the Kerberos protocol, which clearly sees the contained information in each sent message between the different entities involved in the key exchange. It should be clarified that the previous communication that should be established between the client and the AS, which gives the user name and password entered by the user on the client, is not shown. However, the ticket management is quite clear.

When the client makes a request to the AS, the AS responds with two messages: the first sends the encrypted key that the client will share with the TGS, and the second packet should be forwarded to the TGS, this package cannot be decrypted by the client and contains information about the validation made by the AS.

Then, the client sends two messages to the TGS: in the first message forwards the packet that has been received from the AS, adding the type of the requested service and the second message is an authenticator which is encrypted with the key generated by the AS for the communication between client and TGS.

Now, the TGS responds to the client with the key that will be sharing with the requested service server and a ticket that only this server can decrypt and that the customer must forward. The client forwards the ticket to the service server and also an authenticator encrypted with the provided key by the TGS for the communication, so that, the communication between client and service can be performed in encrypted form with that key.


Figure # 2: Message Exchange of the Kerberos protocol.



  1. William Stallings. Fundamentals of Network Security: Applications and Standards, Second Edition. Pearson Education. 2004.


9408 Last modified on Tuesday, 15 October 2019 21:20
More in this category:
Luis Sequeira

Luis Sequeira is an IT professional with experience in cloud environments, quality of service and network traffic analysis, who loves looking for solutions to engineering challenges, share knowledge. At work, the main challenge is to integrate different network and software technologies to provide solution in a wide range of areas, e.g., virtual network functions, machine learning, autonomous driving, robotics and augmented reality.



  • video marketing Comment Link
    video marketing 06 July 2015, 04:14
    That is really interesting, You are a very skilled blogger.
    I have joined your feed and look ahead to looking for extra of your
    excellent post. Also, I've shared your site in my social networks
  • m88 Comment Link
    m88 19 July 2015, 16:43
    Great information. Lucky me I discovered yoir site by chance (stumbleupon).
    I've bookmarked it for later!
  • m88 Comment Link
    m88 29 July 2015, 13:10
    Thaat is a really goold tip particularly to those new to the blogosphere.
    Short but verty precise info… Thanks for sharinng this one.
    A must read article!
  • m88 Comment Link
    m88 29 July 2015, 13:24
    An outstanding share! I have just forwarded this ontro a friend who has been conducting a little homework on this.
    Annd he actually bought me dinner because I
    discovered it for him... lol. So let mme reword this....

    Thanks for the meal!! Butt yeah, thanks for spending the time to talk about this
    topic here on your blog.
  • m88 Comment Link
    m88 29 July 2015, 18:46
    It's perfect time to make some plans for the future and it's
    time to be happy. I haqve read this post and if I could I desire to suggest you some interesting things or advice.
    Maybe you could write next articls referring to this article.
    I want to read even more things about it!
  • in Comment Link in 11 August 2015, 19:26
    Click about the subject line or sender of a message to open it.
    Hotmail's privacy settings permit you to filter junk email along with block specific addresses from contacting you.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.