Go Kerberos protocol

Kerberos protocol:
The Kerberos protocol is primarily used for the identification of computer networks (authentication), which is characterized by the ability for a user to enter authentication information to access multiple services (Ticket-granting ticket) with this authentication, which is SSO ( ON). Because a shared secret is established between each client and service, the protocol is quite secure.

Conditions

First look at the prerequisites for the Kerberos protocol:

As shown in, the client and the KDC, the KDC and the service already have their own shared keys before the protocol works, and because the messages in the protocol fail to penetrate the firewall, these conditions limit the Kerberos protocol to be used internally within an organization, making its application scenario different from the.

Process

The Kerberos protocol consists of two parts:

1. The client sends its own identity to the KDC, and the KDC obtains the TGT from the Ticket Granting Service (Ticket-granting ticket), The TGT encryption is restored to the client using the key between the client and the KDC before the protocol begins.

Only the real client can use the key between it and the KDC to decrypt the encrypted TGT, thereby obtaining the TGT.

(This process avoids the client sending a password directly to the KDC in order to verify the unsafe way)

2. The client uses the previously obtained TGT to request the ticket of other service from the KDC, thereby identifying itself through the other service.

The focus of the Kerberos protocol is on the second part, as follows:

1. Client sends a previous TGT and service information to be requested (service name, etc.) to the ticket granting service in KDC,KDC to generate a session between the client and the service Key is used for service-to-client identification. The KDC then wraps the session key with the user name, user address (IP), service name, validity period, and timestamp into a ticket (which is ultimately used for service-to-client identification) to be sent to the service, However, the Kerberos protocol does not send ticket directly to the service, but to the service via the client. So there's a second step.

2. At this point the KDC forwards the ticket just to the client. Since this ticket is to be given to the service, it cannot be seen by the client, so the key between the KDC and the service before the KDC begins with the protocol will be ticket encrypted before sending to the client. Also in order to share the secret between the client and service (the KDC creates the session key for them in the first step), the KDC uses the key between the client and it to return session key encryption to the client with the encrypted ticket.

3. To complete the delivery of the ticket, the client forwards the ticket just received to the service. Because the client does not know the key between the KDC and the service, it cannot calculate the information in the ticket. At the same time, the client will receive the session key decrypted, and then the user name, user address (IP) package into authenticator with session key encryption also sent to the service.

4. After the service receives ticket, it uses the key between it and the KDC to decrypt the information in the ticket to obtain session key and user name, user address (IP), service name, and expiration date. Then use session key to decrypt the authenticator to obtain the user name, the user address (IP) with the user name decrypted in the previous ticket, user address (IP) to be compared to verify the identity of the client.

5. If the service has a return result, it is returned to the client.

Summarize

To summarize, there are two main things that the Kerberos protocol does.

1. Safe delivery of ticket.

2. Security release of Session key.

Plus the use of time stamps to a large extent to ensure the security of user identification. and using session Key, the message passed between client and service after authentication can also obtain confidentiality (confidentiality), Integrity (integrity) guarantee. However, because the asymmetric key is not used naturally can not have anti-repudiation, which also limits its application. However, it is much simpler to implement than the identity authentication method of the single-to-small PKI.

Go Kerberos protocol