This presentation was first presented at Virtusa on 14th August 2014

1. Deep Dive into - Kerberos
Ishan A B Ambanwela

2. Contents
1.What is Kerberos
2.Design Objectives
3.Cons
4.Common Terms Explained
5.Kerberos Work Flow
6.Kerberos in Practical

3. What is Kerberos
● Computer network authentication protocol
● Developed in MIT in mid 1980s as a part of
Project Athena
● Named After three-headed guard dog of Hades
● Current Version 5 was released under MIT
license in 2005 (RFC4120)

4. Design Objectives
● Allows to communicate over non-secure
network
● Based on tickets
● Designed for client-server model
● Interoperability
● Trust no one (mutual authentication client/server)
● Protected against Eavesdropping & Replay
attacks

5. Cons
● Single point of failure
● Strict time requirements
● Symmetric cryptography
● Unique Kerberos keys
● Complications in virtual hosting and clusters
● Requires user accounts
● strict separation of domains
● administration protocol is not standardized

6. Some Common Terms
● KDC - Key Distribution Center
● AS - Authentication service
● AD - Active Directory
● Key - parameter which determines the functional
output of a cryptographic algorithm
● Ticket - Piece of information which carries the identity
● Session - semi-permanent interactive information
interchange

7. Kerberos - Terms
● TGT – Ticket Granting Ticket
– Used to prove users own identity
● ST – Service Ticket
– Allows a user to use a service
– Used to securely pass the identity of the user to which the ticket is
issued between KDC and the application server
● Authenticator
– Proves that the user presenting the ticket is the user to which the ticket
was issued
– Proof that user knows the session key
– Prevents replay attacks

8. Key Distribution Center
Kerberos – Work flow
Client
Generate Client Secret Key (CSK)
Authentication Server
Ticket Granting Server
Resource Server
Username
Password
Username (clear text)
A. Session Key (SK)
B. Username, NA, Validity Period,
Session Key (SK)
CSK
TGS
SK
TGS Secret Key
One way
Hash
Client
Secret
Key
(CSK)
A B
Decode
CSK A. Session Key (SK)
+ Service ID (clear text)
F
SK C. Username, Timestamp
C
B. Username, NA, Validity Period,
Session Key (SK)
Decode
TGS
SK
SK C. Username, Timestamp
D. Client/Server Ticket, Username,
NA, Validity Period, Client/Server
Session Key (CSSK)
E. Timestamp+1, Client/Server
Session Key (CSSK)
RS
SK
SK
RS Secret Key
E
D
SK F. Username, Timestamp’
Decode D F
CSSK G. Timestamp’+1, Resource
E. Timestamp+1, Client/Server
Session Key (CSSK)
SK
CSSK G. Timestamp’+1, Resource

9. Kerberos in Practical

10. Java Example for Requesting a Kerberos Ticket in
Client

11. Kerberos in Practical : background
knowledge
● JAAS - Java Authentication and Authorization Service
– LoginModule (javax.security.auth.spi.LoginModule)
● Classes implementing this contain the actual code for authentication
● various mechanisms to authenticate
– LoginContext (javax.security.auth.login.LoginContext)
● Starts authentication process by creating a Subject
– Subject (javax.security.auth.Subject)
● a single user, entity or system
– Principal (java.security.Principal)
● It encapsulates features or properties of a subject
– Credentials

12. Browser Based Kerberos Ticket Validation

13. Kerberos in Practical : background
knowledge
● GSSAPI
– Generic Security Service Application Program Interface
– IETF Standard
● SPNEGO
– Simple and Protected GSSAPI Negotiation Mechanism
– a pseudo mechanism used by client-server software to
negotiate the choice of security technology

14. Browser Based Kerberos Authentication
Example :Sample Requests and Responses

15. Special Thanks
● Praboda Disanayaka
– For Providing Kerberos Work flow Slide
● Vicknesh Subramaniyam
– For Providing Sample HTTP Requests/Responses

16. Q&A
Discussion

17. Thank you and Good Luck :-)