Dept.of Computer Science& Engineering
Lovely Professional University
WHAT IS KERBEROS?
ADVANTAGES & DISADVANTAGES.
PUBLIC KEY CRYPTOGRAPHY.
Whatis Kerberos ?
• Network authentication protocol.
• Developed at MIT in the mid 1980s.
• Uses trusted 3rd party authentication scheme.
• Assumes that hosts are not trustworthy.
• Requires that each client (each request for service) prove it’s identity.
• Does not require user to enter password every time a service is
• Steve Miller and Clifford Neuman designed the primary Kerberos version in1983.
• Versions 1–3 occurred only internally at MIT as part of project Athena.
• Windows 2000 was Microsoft's first system to implement Kerberos security
• Version 5, designed by John Kohl and Clifford Neuman, appeared in 1993 .
Recent updates include:-
• Encryption and Checksum Specifications.
• Clarification of the protocol with more detailed and clearer explanation
of intended use.
• A new edition of the GSS-API( Generic Security Service Application
Program Interface ) specification.
Why Kerberos ?
• Sending usernames and passwords in the clear jeopardizes the
security of the network.
• Each time a password is sent in the clear, there is a chance for
• strong security on physically insecure network.
• a centralized authentication server which authenticates
• Users to servers.
• Servers to users.
Firewall vs. Kerberos ?
• Firewalls make a risky assumption: that attackers are coming from the
outside. In reality, attacks frequently come from within.
• Assumes “bad guys” are on the outside….while the
really damaging ones can be inside !.
• Restrict use of Internet.
• Kerberos assumes that network connections (rather than servers and
work stations) are the weak link in network security.
Indicates an authentication administrator domain.
It is the name used to refer to the entries in AS.
It is issued by AS & Encrypted using Secret key of Service.
DES, RC4-HMAC, AES128 &AES256 algorithms.
Key Version Number (kvno)
Key Distribution Center (KDC):
Contains information about Users & Services.
Authentication Server (AS):
Give reply to initial authentication Request from Client & issues
Ticket Granting Server (TGS):
Distributes Service tickets to client.
It is secret between Users & Services for which a client has work session open
on a server.
Used to store password & related session key.
Fig. 1 Authentication service verifies the user ID
Working of Kerberos
Step 1: (Fig 1)
The AS, receives the request
by the client and verifies that the
Fig. 2 Authentication service issues TGT.
Upon verification, a timestamp is
created with current time in a user
session with expiration date.
The timestamp ensures that when
8 hours is up, the encryption key is
Step 3: (Fig 2)
The key is sent back to the
client in the form of a TGT.
Fig. 3 Client submits TGT to TGS.
Step 4: (Fig 3)
The client submits the TGT
to the TGS, to get authenticated.
Fig. 4 TGS grants client the service ticket.
Step 5: (Fig. 4)
The TGS creates an encrypted
key with a timestamp and grants
the client a service ticket.
The client decrypts the ticket &
send ACK to TGS.
Fig. 5 Service server decrypts key & checks timestamp
Then sends its own encrypted
key to the service server.
The service decrypts the
key and check timestamp is
still valid or not.
If it is, the service contacts
the KDC to receive a session
that is returned to the client.
Fig. 6 For valid keys communication is initiated.
Step 8: (Fig. 6)
The client decrypts the ticket.
If the keys are still valid , comm-
-unication is initiated between client
Now the client is authenticated
until the session expires.
Fig. 7 A possible Kerberos environment
First, Kerberos infrastructure
contain at least one Kerberos
The KDC holds a complete
database of user and service
clients and services called
kerberized clients and services.
1. Typical Infrastructure(Fig. 7)
2. Kerberized Services
Fig. 8 Authentication Requests.
Kerberos operations requires both
read only and write access is done
through Kerberos database.
From figure operations requiring read-
only access to the Kerberos database are
performed by the AS(KDBM), which
can run on both master and slave M/c.
From figure we may say that
changes may only be made to the
Master Kerberos database where
Slave copies are read-only.
Therefore, the KDBM server may
only run on the master Kerberos M/c.
Fig. Administration Requests.
It manages and controls all the Operations & Functions of Kerberos.
Running a program to initialize database.
Register essential principals in the database.
Kerberos administration server and AS must be started up properly.
For new Kerberos application ,it must take few steps to get it working.
It must be registered in the database
Assigned a private key
It must also ensure that Kerberos machines are physically secure & also
able to maintain backups of the Master database.
Passwords are never sent across the network unencrypted.
Clients and applications services mutually authenticated.
Tickets have a limited lifetime.
Authentication through the AS only has to happen once.
Sharing secret keys is more efficient than public-keys.
Kerberos only provides authentication for clients and services.
Vulnerable to users making poor password choices.
Client M/c and service(servers) M/c to be designed with Kerberos authentication in
PUBLIC KEY CRYPTOGRAPHY
In Public Key Cryptography two different but mathematically related keys are
The public key may be freely distributed, while its paired private key must
The public key is typically used for encryption, while the private or secret key is
used for decryption.
It give new direction to Kerberos as it eases key distribution a lot.
KDC doesn’t need to save client keys in its database.
To obtain a TGT, the client has to present his public key.
A trusted certification authority (CA) has to sign every valid public key.
Researched and developed for over 8 years.
Kerberos doesn’t fail to deliver services.
Ex:- Cisco, Microsoft, Apple, and many others.
As authentication is critical for the security of computer systems, traditional
authentication methods are not suitable for use in computer networks
The Kerberos authentication system is well suited for authentication of users in
Computer Networking by James Kurose and Keith Rose.
Kerberos: Network Authentication System by Brain Pung.
Introduction to Kerberos technology.