Kerberos

Kerberos is designed to enable two parties to exchange private information across an otherwise open network like the Internet by assigning a unique key, called a ticket, to each user that logs on to the network. The ticket is then embedded in messages to identify the sender of the message. Kerberos is based on the concept of a trusted third party, called the key distribution center (KDC), a Kerberos authentication server (AS), performing secure verification of all users and services on the network. This verification involves exchanging encrypted authentication messages without transmitting the user password.

The “lite” explanation of using Kerberos to gain network access might help.

1. A remote user opens a PPP connection to an organization’s NAS router.

2. The router prompts the user for a user name and a password.

3. The router then uses only the user name to request a ticket or credential verifying the user identity (TGT) from the key distribution center (KDC).

4. Assuming the user name is known to the KDC, an encrypted TGT is sent back to the router, which includes (among other things) the user’s identity. The ticket has a limit life of eight hours to reduce the exposure to an unauthorized capture and replay attempt.

5. The router uses the password from Step 2 to decrypt the TGT. If the decryption is successful, the remote user is authenticated to the router and granted access to the network.

When a remote user successfully authenticates at a boundary router, the user and the user’s machine become part of the network. Another TGT from the KDC is necessary to access network services because the original TGT is stored on the router and isn’t used for additional authentication, unless the user physically logs on to that router.

Securing a network service involves a double encryption. When a user requests access to a network service, such as a printer or Telnet access to a host, the KDC creates a service credential. This service credential contains the client’s identity, the desired network service’s identity, and a time limit. The service credential is encrypted first using a password shared by the KDC and the service. The result is encrypted again using the user’s TGT as the key.

The target service uses the TGT supplied by the user to perform the first decryption. If the result can be successfully decrypted using the password shared by the KDC and the service, then the service is available.

Since Cisco IOS 11.2, organizations already using Kerberos 5 security can use their existing authentication servers to authenticate their routers and switches. The IOS software Kerberos authentication capabilities support the following network services:

The previous applications are said to be Kerberized, applications and services that have been modified to support the Kerberos credential infrastructure and encrypted communications.