Kerberos is a network authentication protocol that was developed at MIT in the 1980s to allow nodes communicating over an insecure network to verify each other's identity. It uses tickets and session keys to allow clients and servers to communicate over a non-secure network and establish the identity of the users and servers. The Kerberos authentication process involves three main exchanges between the client, authentication server (KDC), and target server to authenticate users and allow access to services.

1. Kerberos
Authentication
Protocol
ASHOK BASNET (066BCT505)
BIBEK SUBEDI (066BCT506)
DINESH SUBEDI (066BCT512)

2. What is Kerberos
 Network authentication protocol
 Developed at MIT in the mid 1980s
 Available as open source or in supported
commercial software

3. Kerberos vs Firewall
 Firewalls make a risky assumption: that attackers
are coming from the outside. In reality, attacks
frequently come from within.
 Kerberos assumes that network connections
(rather than servers and work stations) are the
weak link in network security.

4. Why Kerberos
 Sending usernames and passwords in the clear
jeopardizes the security of the network.
 Each time a password is sent in the clear, there is
a chance for interception.

5. Architecture
 It consists of following 3 components
1. Client
2. Authentication Server or Key Distribution Server (KDC)
3. Server
And has 3 main exchanges
1. Authentication Service (AS) Exchange
2. Ticket Granting Service (TGS) Exchange
3. Client Server (CS) Exchange

6. AS Exchange
 Exchange between client and Authentication Server
(KDC)
 Client sends KRB_AS_REQ msg to KDC specifying
credentials it wants
 Server replies with msg KRB_AS_REP containing the ticket
and session key
 The Session key is encrypted with client’s secret key
 The TGT is encrypted with server’s secret key
 The encryption type is DES by default

7. TGS Exchange
 Is used to obtain additional tickets for the servers.
 Doesn’t need client’s secret key for encryption
 Transparent to the user
 TGS must have access to all secret keys
 But encrypts the ticket using server’s secret key
 Client sends KRB_TGS_REQ to the TGS server
 Server replies KRB_TGS_REP to the client with ticket

8. CS Exchange
 Client contacts with the real server
 Client sends KRB_AP_REQ to the server specifying the
service
 Server validates client by decrypting ticket with server’s
secret key and decrypting authenticator with sessions
key contained in ticket
 Server optionally replies with KRB_AP_REP

10. Implementation
 Athena Project at MIT
 Microsoft WIndows

11. Limitations
 Only provides authentication
 Central Authentication server
 Cannot migrate existing password hashes into the
Kerberos database
 Authentication is only as good as the user's password
 Assumes relatively secure hosts on an insecure network
 Strict time requirements
 Complicates virtual hosting