Posted filed under CISSP.

Kerberos is a network authentication protocol created by the Massachusetts Institute of Technology (MIT) that uses secret-key cryptography. Kerberos has three parts: a client, server, and trusted third party (KDC) to mediate between them.

Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client’s credentials.


The KDC is a service that runs on a physically secure server. The KDC consists of two components:


  • Authentication service :  The authentication service issues ticket-granting tickets (TGTs) that are good for admission to the ticket-granting service (TGS). Before network clients can get tickets for services, they must obtain a TGT from the authentication service.
  • Ticket-granting service :  Clients receive tickets to specific target services.


The basic operation of Kerberos is as follows  :


  • The client asks the KDC for a ticket, making use of the authentication service (AS).
  • The client receives the encrypted ticket and the session key.
  • The client sends the encrypted TGT to the TGS and requests a ticket for access to the application server. This ticket has two copies of the session key: One copy is encrypted with the client key, and the other copy is encrypted with the application server key.
  • The TGS decrypts the TGT using its own private key and returns the ticket to the client that will allow it to access the application server.
  • The client sends this ticket, along with an authenticator, to the application server.
  • The application server sends confirmation of its identity to the client.

Some Kerberos literature uses the term principal instead of client. Principals can be a user, a process, or an application. Kerberos systems authenticate one principal to another.




Although Kerberos can provide authentication, integrity, and confidentiality, it’s not without its weaknesses. One weakness is that Kerberos cannot guarantee availability. Some others are listed here:


  • Kerberos is time sensitive; therefore, it requires all system clocks to be highly synchronized.
  • The tickets used by Kerberos, which are authentication tokens, can be sniffed and potentially cracked.
  • If an attacker targets the Kerberos server, it can prevent anyone in the realm from logging in. It is important to note that the Kerberos server can be a single point of failure.



[bs_icon name=”glyphicon glyphicon-chevron-right”]  Components


  •  Principal that is a server or client that Kerberos can assign tickets to.
  •  Key Distribution Center (KDC) that runs AS and TGS to provide initial ticket   and ticket-granting ticket requests.
  • Ticket Granting Server (TGS) that provides authorized service or user with   temporary session keys and tickets
  • Resource Server that is typically a network resource such as a Database   server.
  • Authentication Service (AS) that provides ticket-granting tickets to an   authorized service or user.
  • Realm that is a boundary (a domain) with an organization. Each realm contains   an AS and a TGS.
  • Remote Ticket-Granting Server (RTGS) that is a TGS in a remote realm.

[bs_icon name=”glyphicon glyphicon-chevron-right”]  Operation

  •  AS_REQ is the initial user (client) authentication request to the Authentication   Server (AS).
  •  AS_REP is the Authentication Server’s reply to the user request with a Ticket   Granting Ticket (TGT).
  • TGS_REQ is the request from the client to the Ticket Granting Server (TGS)   for a service ticket. This packet (encrypted) includes the TGT already obtained   by client from the AS.
  • TGS_REP is reply of the TGS to the previous request. This packet contains the   requested service ticket (encrypted) and a session key.
  • AP_REQ is the request that the client sends to an Application Server for   access to a service. Packet is encrypted using the service key generated by   the TGS
  • AP_REP is the reply from the Application Server to the client that it has,   indeed, the expected credentials for access.

**Source by wikipedia**

 To Become Certified For CISSP Please Visit This Link ;



Comments are closed.