Wednesday, March 6, 2013

An Overview of Kerberos...

Kerberos is a protocol that allows users to authenticate once and use many services dispersed over an internal network. It removes the burden of re-login each time you need to access a service, which can be a file server, WS-Trust based STS or etc.

Three parties are involved in a Kerberos communication. One is the client principal, usually this the actual network user. Then the KDC (Key Distribution Center) and the service principal, which is the actual service the user wants to access. We'll take file server as the example for service principal.

KDC is connected to a user store and contains credential information of both the client and the service.

Following are the steps taken in a typical Kerberos communication:

(1)  At the initial login to the terminal by the User, client sends a request to KDC asking for a Ticket-Granting-Ticket (TGT). This primary ticket is needed to request other tickets for the services.

This request is fully encrypted, except for some visible identifier, by client's password hash. Usually this identifier is the username.

(2)  KDC then searches its user store by this identifier and retrieves the password of it.

Then it tries to decrypt the message client has sent. If decryption succeeds, KDC is sure this message is sent by a known user. Else, it will end the communication.

(3)  KDC then generates a TGT and encrypts it using a key only he knows. Because, TGT is intended only for KDC itself. And sends it to the client.

(4)  Client stores this TGT in a memory area termed as the Kerberos tray.

(5)  Now the client wants to access the File Server. To do it, he needs a ticket specifically aimed for the File Server.

TGT comes to play here; client sends a copy of it back to the KDC.

Note, if the client didn't have the TGT, KDC would have to do all the user validation stuff every time client needs a service ticket. But now, because TGT contains all the required information, that user validation stuff is not needed again (for a pre-defined time, after which renewal of TGT is required).

(6) KDC prepares a ticket for File Server, encrypted by File Server's password hash.

Remember, File Server's credentials are also there in the KDC. This ticket can be read only by the KDC and the File Server.

Then KDC sends back this ticket to the client.

(7) Client stores this in his Kerberos Tray and sends a copy of it to the File Server, which tries to decrypt it using his password. If he succeeds, client is grant access to its resources.

Following is an excellent video that explains Kerberos in simple terms :)


Anonymous said...

Simple and informative

dulanja said...

Thanks :)