Kerberos (protocol) facts for kids

Kerberos is a special computer program that helps keep computer networks safe. It's like a digital security guard. It lets different computers prove who they are to each other. This happens even if they are on a network that isn't totally secure.

Kerberos uses something called "tickets" to do this. It's mainly used for a "client-server" setup. This means both the user's computer (the client) and the computer providing a service (the server) check each other's identity. Kerberos also protects its messages from being spied on or used again by bad guys.

This system uses a type of secret code called symmetric-key cryptography. It also needs a "trusted third party" to work. Think of this party as a central security office. Kerberos usually uses UDP port 88 to communicate.

The name Kerberos comes from Greek mythology. Kerberos was a fierce, three-headed dog. He guarded the entrance to the underworld.

How Kerberos Started and Grew

The Massachusetts Institute of Technology (MIT) created Kerberos in 1988. They wanted to protect network services for a project called Project Athena. The first versions (1 to 3) were just experiments. They were not shared outside of MIT.

Kerberos version 4 was the first public version. It came out on January 24, 1989. This version used a type of encryption called Data Encryption Standard (DES). Because of rules at the time, the U.S. couldn't export it to other countries. So, MIT made a version called "Bones" without the encryption. Later, people outside the U.S. added encryption back in.

Version 5 was released in 1993. It fixed some old problems and made things more secure. In 2005, the Internet Engineering Task Force (IETF) updated the rules for Kerberos. These updates made the system even better and clearer.

MIT offers its Kerberos program for free. In 2007, MIT started the Kerberos Consortium. This group helps keep Kerberos developing. Big companies like Oracle, Apple Inc., Google, and Microsoft are part of it.

How Kerberos Works: The Steps

Kerberos uses a central "security boss" called the Key Distribution Center (KDC). The KDC has two main parts: the Authentication Server (AS) and the Ticket-Granting Service (TGS).

First, a user's computer (the client) talks to the AS. The AS gives the client a special "ticket" called a ticket-granting ticket (TGT). This TGT is like a hall pass. It's encrypted and has an expiration time. Users usually get this TGT when they first log in.

When the client wants to use a service on another computer (the "service server"), it sends its TGT to the TGS. The TGS checks if the TGT is valid. It also checks if the user can access the service. If everything is okay, the TGS gives the client a service ticket (ST). This ST is like a specific pass for that service. The client then sends this ST to the service server to get access.

Kerberos negotiations

Let's look at the steps in more detail:

Getting Your First Ticket (Client Authentication)

1. You type your username and password on your computer. Your computer turns your password into a secret key.
2. Your computer sends your username to the AS. It does NOT send your password or secret key.
3. The AS checks if your username is in its database. If it is, the AS also makes a secret key from your password. Then, it sends two encrypted messages back to your computer:
   • Message A: This has a "Client/TGS Session Key." It's encrypted with your secret key.
   • Message B: This is your "Ticket-Granting-Ticket" (TGT). It's encrypted with the TGS's secret key.
4. Your computer gets messages A and B. It uses your secret key to try and open Message A. If your password was correct, you can open Message A. This gives you the "Client/TGS Session Key." You'll use this key to talk to the TGS. You can't open Message B yet because it's for the TGS.

Getting a Service Ticket (Client Service Authorization)

1. When you want to use a service, your computer sends two messages to the TGS:
   • Message C: This is Message B (your TGT) plus the name of the service you want.
   • Message D: This is an "Authenticator." It has your ID and the current time. It's encrypted with the "Client/TGS Session Key" you got earlier.
2. The TGS gets messages C and D. It opens your TGT (Message B) using its own secret key. This gives the TGS the "Client/TGS Session Key" and your ID. Then, the TGS uses that "Client/TGS Session Key" to open Message D. The TGS checks if the IDs match. If they do, the TGS sends two new messages back to your computer:
   • Message E: This is a "Client-to-server ticket." It's encrypted with the service's secret key.
   • Message F: This is a "Client/Server Session Key." It's encrypted with the "Client/TGS Session Key."

Using the Service (Client Service Request)

1. Now your computer has messages E and F. It can talk to the Service Server (SS). Your computer sends two messages to the SS:
   • Message E: The "Client-to-server ticket" from the TGS.
   • Message G: A new "Authenticator" with your ID and current time. It's encrypted with the "Client/Server Session Key" you just got.
2. The SS gets messages E and G. It opens Message E using its own secret key. This gives the SS the "Client/Server Session Key." Then, the SS uses that key to open Message G. The SS checks if the IDs match. If they do, the SS sends a message back to your computer to confirm it's ready to help you:
   • Message H: This is the timestamp from your Authenticator (Message G), encrypted with the "Client/Server Session Key."
3. Your computer opens Message H. It checks the timestamp. If it's correct, your computer knows it can trust the server. Then, you can start using the service!

Where Kerberos is Used

Microsoft Windows

Windows 2000 and all newer Windows versions use Kerberos. It's their main way to check who you are. When your computer joins a Windows domain, Kerberos becomes the default security system. This is for talking to services in that domain.

If your computer or the server isn't part of a Windows domain, Windows might use an older system called NTLM instead. Microsoft has also added some of its own features to Kerberos.

Unix and Other Systems

Many other computer systems also use Kerberos. This includes FreeBSD, Apple's macOS, Red Hat Enterprise Linux, Oracle's Solaris, and IBM's AIX. Even some older systems like z/OS and OpenVMS support it.

Challenges and Things to Know

• Time is Important: Kerberos needs all computers to have their clocks set very closely. If the clocks are off by more than a few minutes, the tickets won't work. People often use Network Time Protocol (NTP) to keep clocks in sync.
• Central Control: The KDC (the "security boss") controls all the security. If someone manages to break into the KDC, they could pretend to be any user.
• Complex Setup: If you have many different services or virtual servers, each might need its own Kerberos keys. This can make setting things up a bit tricky.
• Trusted Relationship: Kerberos needs user accounts and services to trust the Kerberos server. This can make it harder to set up separate test environments.

Security Notes

The older Data Encryption Standard (DES) cipher can be used with Kerberos. However, it's not as strong as newer encryption methods. Some older Kerberos systems might have security issues if they only use DES. Newer versions support stronger encryption like AES.

See also

• Single sign-on
• Identity management
• SPNEGO
• S/Key
• Secure remote password protocol (SRP)
• Generic Security Services Application Program Interface (GSS-API)
• Host Identity Protocol (HIP)
• List of single sign-on implementations

In Spanish: Kerberos para niños