This is a free, online tutorial about Kerberos, and reference for Computer Networking students, about the Kerberos authentication protocol which uses secret-key cryptography..this is a free kerbos tutorial for students new to computer networking classes. See also: Computer Security Tutorials and Computer Networking Resources..
What is Kerberos?
Kerberos is a ticket-based network authentication protocol utilizing symmetric crytography, software that will add to the ability of operating systems (Windows, Mac, etc.) to authenticate users and servers, and manage session-level security and encryption. It is a single sign-on technology. Kerberos was created in the 1980's as part of MIT's "Project Athena". It is IP-based service. It uses secret-key crytography to provide strong authentication for client/server applications. Kerberos is available in several commercial products and is also available as free implementation from MIT.
[The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades.]
Most users access many systems and networks during the day. A single sign-on technology allows a user to sign on once at the beginning of the day and remain authorized throughout the day on the entire network.
Authentication Service (AS) - Performs authentication and is a part of the Key Distribution Center (KDS).
Key Distribution Center (KDS) - Holds secret keys (the crytographic keys) for "principals"; provides authentication; creates and distributes session keys (crytographic keys). Session keys and secret keys are crytographic keys. The KDS utilizes symmetric cryptography. A KDC has a Ticket Granting Service (see TGS) and the Authentication Service.
Principal - Any object such as user, application, service, or resource which utilizes Kerberos authentication is referred to as principal. Collectively, the objects using Kerberos are principals. A Key Distribution Center (KDC) is responsible for one or more "realms" of principals. Any principal must "trust" the KDC. Principals do not directly trust each other. Only the KDC is supposed to have a copy of each principals "secret key".
Realm - The group or set of principals which are grouped together logically by a network administrator is called a realm. Again, a Key Distribution Center (KDC) is responsible for one or more realms.
TGS (Ticket Granting Service) - That part of the Key Distribution Center (KDS) which creates and distributes tickets to the objects (principals) containing session keys.
Ticket - Simply a digital authentication token sent from the Authentication Service (AS). The first ticket sent from the AS to a principal (user, application, service or resource) is called the Ticket Granting Ticket (TGT).
Secret keys and Session keys - Symmetric cryptography keys used for both authentication and/or data encryption.
Kerberos in a Nutshell