Kerberos is an authentication protocol using a trusted central authentication service - Key Distribution Center (KDC). Each user and service shares a secret key with the KDC. The KDC issues tickets asserting the identity of their bearers, which can be verified by relying parties. A ticket has a limited lifetime and unlike public-key certificates for example, it can be only used for a particular end-service, which is specified in the ticket. Apart from supporting mutual authentication of the peers, the Kerberos protocol also provides means for message encryption or integrity protection. Since a KDC holds a list of all users and services, every authentication among users and services involves contacting the KDC. This feature makes it hard to deploy Kerberos in highly distributed environments since users must be registered with the KDC first. In order to make Kerberos more scalable, the users’ space can be divided into administrative groups (realms), served by independent KDCs. The Kerberos cross-realm authentication mechanism allows seamless interoperability among different realms. Kerberos is a widely used mechanism in local security infrastructures operated by many institutions.
Table of Contents
Entities involved in the standard
Key Distribution Center (KDC): The authentication and key server for an administrative domain. It has trust relationships established with all client and servers in the domain.
Client: A user or service that initiates authentication exchange. It has to be in possession of a ticket.
Server: A service accepting tickets issued by a trusted KD.
What does it imply for the user
The user has to obtain a ticket before it connects to a service. Usually a Ticket Granting Ticket is obtained, which allows users to obtain subsequent service tickets. The TGT has to be obtained using the user’s password or other credentials that are registered with the KDC.
What does it imply for the service provider
Service has to have available a secret shared with the KDC that is used to authenticate tickets presented by the clients. Usually keys are stored on local file systems and have to be securely distributed when a service is being introduced to the domain.
Relevant RFCs and documents
C. Neuman, T. Yu, S. Hartman, K. Raeburn: The Kerberos Network Authentication Service (V5). IETF RFC 4120. 2005.
Supported requirements
User and Service Provider friendliness
Access using username/password
Federation solutions based on open and standards-based technologies