Kerberos is also called as Authentication Protocol. Kerberos Authentication Protocol uses the concept of a ticket as a token that proves the identity of a user. Like when to start in journey we need a confirm ticket then only we can do our journey safely.
Kerberos uses the concept of the ticket as a token to prove the identity of the user. Microsoft introduced Kerberos in Windows 2000 server as a default authentication protocol.
Tickets are digital documents that store session keys. Instead of password, tickets are issue during login session and then can be used in any Kerberos services.
For Client authentication phase requires two tickets :
- Ticket Granting Ticket (TGT), which act a identifier for user and session key.
- A Service ticket to authenticate user to gain access to user for particular service.
The same concept of ticket is use likewise we use railway tickets it has time duration, expiration dates after that ticket become invalid. In Kerberos, these ticket includes different contents like time stamps to indicate an, start and expiration time. After time expiration, the ticket become invalid.
(1) Kerberos Servers –
To accomplish the task of secure authentication, Kerberos uses a trusted third party is called a Key Distribution Center (KDC). The Key Distribution Center uses two techniques for authentication :
- Authentication Server (AS), which performs user authentication.
- Ticket-Granting Server (TGS), which permits or grants tickets to users.
The role of an Authentication Server is to store a database like secret key of the users and its services. The secret key of a user is generate using one way hash of user provide password.
The main aim of the Kerberos is provide centralize authentication of entire network rather than storing the sensitive information at each user machine. The sensitive information will be maintain at particular secure location only.
(2) Kerberos Authentication –
This phase is an Authentication phase. During this phase only authentication can be done between authentication server, ticket-granting server and service provider.
In this phase, Client and Ticket granting server authenticate themselves. Finally client and requested service provider authenticate themselves to each other regarding which information/service client wants.
(3) Authentication Details –
During Authentication phase user has to provide username and password on the client machine which cryptographically hashed to create a secret key for the client.
After Client verification done with authentication server, AS will replies the following details to client :
- The Client Ticket Granting Server (TGS) session key, encrypted using clients secret key.
- The Ticket Granting Ticket (TGT) encrypted using the secret key of the ticket granting server. The ticket granting ticket includes the client ticket granting server session key and its validity period.
The Service provider decrypts the client to server ticket using secret key and obtains the client server session key. With the help of client server session key, service provider decrypt the client ID and time stamp information.
The client decrypts and verifies this responses using client to server session key. Once this verification gets succeed, now client-server can start.
Kerberos protocol was specially design to check the authentication of the client over insecure network. Two types of Kerberos versions are exists ,i.e. Kerberos 4 and 5.