Kerberos is a security authentication protocol intended to provide
- More secure authentication
- Simplified management of password
- Convenience of single
The basic structure of Kerberos
- Kerberos Client: The party requesting the service
- Kerberized Service: The party providing the services
- Kerberos KDC: A party that provides authentication for password management. Both client and service provider keep their privacy in the KDC.
Kerberos Authentication Process
1. Client requests a TGT from the KDC
Client sends a packet containing only principal to the KDC
The KDC queries whether the user principal database exists, and if so, generates a TGT that has been encrypted by the KDC key and a time sensitive session key. It is then returned to a tgt+session key that has been encrypted with a user key
2. Client requests service from KDC
The client generates a authenticator, encrypts it with session key, and requests the service name, TGT, and a concurrent send to the KDC.
The KDC compares the authenticator and TGT, and if there is no problem, trusts the client and returns to the client a service ticket and a new session key encrypted with the service key, returning the packet for the first session Key encryption.
3. Client requests Services to service
The client receives the packet returned by the KDC, encrypts the authenticator with the new session key, and sends the service ticket together with the service.
The service receives the packet, opens the service ticket with its own key, and then opens the authenticator with the session key inside the service ticket. If the validation passes, the service data that the client wants is returned.
[Kerberos] Kerberos Authentication Process Collation