Kerberos authentication process allows users to authenticate their identity without directly transmitting passwords to services, using tickets and encryption keys for secure communication. This helps prevent password theft or man-in-the-middle attacks.
- Authentication Server (AS):
- Responsible for the initial user authentication.
- When a user attempts to log in, AS verifies the user’s identity and generates a Ticket Granting Ticket (TGT).
- Ticket Granting Server (TGS):
- Issues service tickets, accepting TGT and user requests for specific services.
- After verifying the TGT, TGS generates and returns an encrypted service ticket.
- Service Server:
- The actual server with the service the user is trying to access.
- After receiving the service ticket, the service server decrypts and verifies the user’s identity, responding to the user’s request.
Kerberos Authentication Process:
- User Authentication:
a. User enters username and password.
b. The client hashes the password and creates a request with the username, sending it to the Kerberos Authentication Server (AS).
- Obtaining Ticket Granting Ticket (TGT):
a. Kerberos AS verifies the user’s credentials. If valid, an encrypted TGT is generated.
b. TGT can only be decrypted by TGS, ensuring its authenticity.
c. TGT is returned to the client.
- Obtaining Service Ticket:
a. When a user needs to access a specific service, the client generates a message including TGT and the service request.
b. The client sends this message to TGS.
c. TGS verifies the authenticity of TGT and then creates an encrypted service ticket.
d. The service ticket includes user identity, service information, and session keys for secure communication.
e. TGS returns the service ticket to the client.
- Communicating with the Service:
a. The client sends the service ticket to the service.
b. The service decrypts the service ticket and verifies the user’s identity.
c. If everything is normal, the service responds to the request.
- Secure Communication:
a. Secure communication session is established between the client and service, using session keys for encryption and decryption.
b. This ensures the confidentiality and integrity of messages.