Manualshelf

Kerberos White Paper

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
12345678910
Figure 1: The Kerberos Authentication Protocol
Step 1. The user begins to use a Kerberized application by entering the user name and password.
Optionally, the user can request for specific ticket flags and specify the key type to be used for
constructing the secret key. The user can also accept the default, configured for the client.
The user sends the following information to the Authentication Service (AS) to obtain credentials:
Client, Server, T, N; where
Client indicates the user name, also referred to as the principal name
Server indicates the Application Server
T indicates the time stamp and
N indicates nonce
Step 2. If the AS can decrypt the message successfully, it issues a temporary session key, which is
encrypted with the user’s secret key (a key derived from the user password, which is stored in the
KDC), and a TGT encrypted with the TGS’s secret key. The TGT contains the name of the user and a
copy of the session key (a randomly generated temporary encryption key) to be used by the user and
the Server for any subsequent communication.
Step 3. The user decrypts the session key. The TGT and the session key are stashed in the user’s
credential cache. The credentials are used to obtain tickets for each network service the principal
wants to access.
This protocol exchange has two important features:
The authentication scheme does not require that the password be sent across the network,
either in encrypted form or in clear text.
The client (or any other user) cannot view or modify the contents of the TGT.