Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Kerberos (protocol)
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Description=== The client authenticates itself to the '''Authentication Server (AS)''' which is part of the '''[[key distribution center]]''' '''(KDC)'''. The KDC issues a '''ticket-granting ticket (TGT)''', which is time stamped and encrypts it using the '''ticket-granting service's (TGS)''' secret key and returns the encrypted result to the user's workstation. This is done infrequently, typically at user logon; the TGT expires at some point although it may be transparently renewed by the user's session manager while they are logged in. When the client needs to communicate with a service on another node (a "principal", in Kerberos parlance), the client sends the TGT to the TGS, which is another component of the KDC and usually shares the same host as the authentication server. The service must have already been registered with the TGS with a '''Service Principal Name (SPN)'''. The client uses the SPN to request access to this service. After verifying that the TGT is valid and that the user is permitted to access the requested service, the TGS issues a '''service ticket (ST)''' and session keys to the client. The client then sends the ticket to the '''service server (SS)''' along with its service request. [[File:Kerberos protocol.svg|thumb|upright=1.5|Kerberos negotiations]] The protocol is described in detail below.<!-- The image file Kerberos.svg needs to be improved; the TGS server is missing from the graphic. --> ====User Client-based Login without Kerberos==== # A user enters a username and password on the [[client (computing)|client machine(s)]]. Other credential mechanisms like pkinit (RFC 4556) allow for the use of public keys in place of a password. The client transforms the password into the key of a symmetric cipher. This either uses the built-in [[key scheduling]], or a [[one-way hash]], depending on the [[Cipher suite|cipher-suite]] used. #The server receives the username and symmetric cipher and compares it with the data from the database. Login was a success if the cipher matches the cipher that is stored for the user. ====Client Authentication==== # The client sends a [[plaintext]] message of the user ID to the AS (Authentication Server) requesting services on behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.) # The AS checks to see whether the client is in its database. If it is, the AS generates the secret key by hashing the password of the user found at the database (e.g., [[Active Directory]] in Windows Server) and sends back the following two messages to the client: #* Message A: ''Client/TGS Session Key'' encrypted using the secret key of the client/user. #* Message B: ''Ticket-Granting-Ticket'' (TGT, which includes the client ID, client [[network address]], ticket validity period, and the ''Client/TGS Session Key'') encrypted using the secret key of the TGS. # Once the client receives messages A and B, it attempts to decrypt message A with the secret key generated from the password entered by the user. If the user entered password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A. With a valid password and secret key the client decrypts message A to obtain the ''Client/TGS Session Key''. This session key is used for further communications with the TGS. (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS. ====Client Service Authorization==== # When requesting services, the client sends the following messages to the TGS: #* Message C: Composed of the message B (the encrypted TGT using the TGS secret key) and the ID of the requested service. #* Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the ''Client/TGS Session Key'' (found by the client in Message A). # Upon receiving messages C and D, the TGS retrieves message B out of message C. It decrypts message B using the TGS secret key. This gives it the ''Client/TGS Session Key'' and the client ID (both are in the TGT). Using this ''Client/TGS Session Key'', the TGS decrypts message D (Authenticator) and compares the client IDs from messages B and D; if they match, the server sends the following two messages to the client: #* Message E: ''Client-to-server ticket'' (which includes the client ID, client network address, validity period, and ''Client/Server Session Key'') encrypted using the service's secret key. #* Message F: ''Client/Server Session Key'' encrypted with the ''Client/TGS Session Key''. ====Client Service Request==== # Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the Service Server (SS). The client connects to the SS and sends the following two messages: #* Message E: From the previous step (the ''Client-to-server ticket'', encrypted using service's Secret key by the TGS). #* Message G: A new Authenticator, which includes the client ID, timestamp and is encrypted using ''Client/Server Session Key''. # The SS decrypts the ticket (message E) using its own secret key to retrieve the ''Client/Server Session Key''. Using the sessions key, SS decrypts the Authenticator and compares client ID from messages E and G, if they match server sends the following message to the client to confirm its true identity and willingness to serve the client: #* Message H: The timestamp found in client's Authenticator (plus 1 in version 4, but not necessary in version 5<ref>{{cite web |url=https://tools.ietf.org/html/rfc1510#section-3.2.4 |title=The Kerberos Network Authentication Service (V5) |last1=Neuman |first1=C. |last2=Kohl |first2=J. |year=1993 |doi=10.17487/RFC1510 |url-status=live |archive-url=https://web.archive.org/web/20160821221402/https://tools.ietf.org/html/rfc1510#section-3.2.4 |archive-date=2016-08-21 |doi-access=free }}</ref><ref>{{cite web |url=https://tools.ietf.org/html/rfc4120#section-3.2.4 |title=The Kerberos Network Authentication Service (V5) |last1=Neuman |first1=Clifford |last2=Hartman |first2=Sam |last3=Yu |first3=Tom |last4=Raeburn |first4=Kenneth |year=2005 |doi=10.17487/RFC4120 |url-status=live |archive-url=https://web.archive.org/web/20160821232023/https://tools.ietf.org/html/rfc4120#section-3.2.4 |archive-date=2016-08-21 }}</ref>), encrypted using the ''Client/Server Session Key''. # The client decrypts the confirmation (message H) using the ''Client/Server Session Key'' and checks whether the timestamp is correct. If so, then the client can trust the server and can start issuing service requests to the server. # The server provides the requested services to the client.
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
Kerberos (protocol)
(section)
Add topic
