Kerberos: The basic protocol
The Kerberos authentication protocol is the default authentication protocol of Windows Server 2003. This section examines how the protocol works by breaking down the complexity of the protocol into five steps.
The first two excerpts provide important introductory information to consider while reading through the five steps. Then, step 1 explains how Kerberos uses symmetric key cryptography to authenticate entities. Step 2 describes the three different entities that the Kerberos protocol deals with and why a key distribution center (KDC) is necessary, step 3 sheds light on the connection between the session key and the master key and step 4 describes the two ways in which the KDC distributes the encrypted session keys to the user and the resource server. Finally, step 5 explores an important weakness in the protocol involving the Ticket Granting Ticket limiting the use of the master keys.
The two excerpts at the end pull together the five steps and include a brief explanation of how Kerberos extensions relate to Windows 2000, XP and Windows Server 2003. Helpful diagrams are provided throughout the section to help readers visualize the various steps.
The following sections explain the basic Kerberos protocol as it is defined in RFC 1510. Those not familiar with Kerberos may be bewildered by the need for numerous diverse keys to be transmitted around the network. In order to break down the complexity of the protocol, we will approach it in five steps:
- Step 1: Kerberos authentication is based on symmetric key cryptography.
- Step 2: The Kerberos KDC provides scalability.
- Step 3: A Kerberos ticket provides secure transport of a session key.
- Step 4: The Kerberos KDC distributes the session key by sending it to the client.
- Step 5: The Kerberos Ticket Granting Ticket limits the use of the entities’ master keys.