Kerberos Verification Process

Kerberos › About Kerberos › Kerberos Verification Process

Kerberos Verification Process

The Kerberos protocol involves two servers, the Kerberos Authentication Server and one or more Ticket‑Granting Servers (TGSs).

The process is:

The user requests a ticket from the Kerberos Authentication Server to the Kerberos TGS. This request takes the form of a message containing the user’s name and the name of their TGS.
The Authentication Server looks up the user in its database and generates an encrypted session key to be used between the user and the TGS.
The Authentication Server creates a ticket‑granting ticket (TGT) for the user to present to the TGS and encrypts the TGT using the TGS’s secret key.
The Authentication Server sends both encrypted messages to the user.
The user decrypts the first message and recovers the session key.
The user creates an authenticator consisting of his or her name and address and a time stamp encrypted with the session key.
The user sends a request to the TGS for a ticket to a particular target server. This request contains the name of the server, the TGT received from Kerberos, and the encrypted authenticator.
The TGS decrypts the TGT and then uses the session key included in the TGT to decrypt the authenticator.
The TGS compares information. If everything matches, it allows the request to proceed.
The TGS creates a new session key for the user and target server and incorporates this key into a valid ticket for the user to present to the server. The TGS also encrypts the new user‑target session key using the session key shared by the user and the TGS.
The TGS sends both messages to the user.
The user decrypts the message and extracts the session key.
The user creates a new authenticator encrypted with the user‑target session key that the TGS generated.
To request access to the target server, the user sends the ticket received from Kerberos and the encrypted authenticator
Because this authenticator contains plain text encrypted with the session key, it proves that the sender knows the key. Encrypting the time of day prevents an eavesdropper who records both the ticket and the authenticator from replaying them later.
The target server decrypts and checks the ticket and the authenticator, also checking the user’s address and the time stamp.
For applications that require mutual authentication, the server sends the user a message consisting of the time stamp plus 1, encrypted with the session key to prove to the user that the server knew its secret key and was able to decrypt the ticket and the authenticator.