Kerberos: A Private Key System
Kerberos: A Private Key System
KERBEROS
Kerberos: Structure
Requirements:
•each user has a private password known only to the user
•a user’s secret key can be computed by a one-way function from the user’s password
•the Kerberos server knows the secret key of each user and the tgs
•each server has a secret key know by itself and tgs
Kerberos: Steps
authentication authorization
Protocol Overview
Server
Ticket Structure:
EK(S) {C, S, KC,S , timestamp, lifetime}
Kerberos
Phase 1
1. The user logs on to the client and the client asks for credentials
for the user from Kerberos
U > C : U (user id)
C > K: (U, tgs)
2. Kerberos constructs a ticket for U and tgs and a credential for the
user and returns them to the client
Tu,tgs = EK(tgs) { U, tgs, KU,tgs , ts, lt}
K > C: EK(U) {TU,tgs , KU,tgs , ts, lt}
The client obtains the user's password, P, and computes:
K'(U) = f(P)
The user is authenticated to the client if and only if K'(U) decrypts
the credential.
CS 5204 – Operating Systems 5
Kerberos
Kerberos
Phase 2
Kerberos
Phase 3