What Is Kerberos?

FRAMINGHAM (07/03/2000) - Kerberos was developed at MIT in the 1980s. It was named after the three-headed watchdog in classical Greek mythology that guards the gates to Hades.

The name is apt because Kerberos is a three-way process, depending on a third-party service called the Key Distribution Center (KDC) to verify one computer's identity to another and to set up encryption keys for a secure connection between them. (For simplicity's sake, let's call one computer client and the other target server.)Basically, Kerberos works because each computer shares a secret with the KDC, which has two components: a Kerberos authentication server and a ticket-granting server. If a KDC doesn't know the requested target server, it refers the authentication transaction to another KDC that does.

By exchanging a series of encrypted messages, called tickets, with the client, the KDC generates new encryption keys for each stage of the authentication process. It can successfully verify one computer to the other without compromising either one's secret keys and without requiring either computer to store keys for every computer it might possibly connect to. The tickets are good only for a single specific computer connecting to another specific computer during a designated period of time.

After the ticket is issued, the client can use it to gain access to the target server any number of times until the ticket expires. Neither the client nor anyone snooping around the network can read or modify a ticket without invalidating it.

How Standard a Standard?

The default protocol for network authentication in Microsoft Corp.'s Windows 2000 operating system is Kerberos Version 5. To allow public-key-based authentication [QuickStudy, March 16, 1998] rather than Kerberos' usual password-hash-based secret key, Microsoft chose to add its own extensions, which makes its implementation of Kerberos slightly nonstandard but still allows for authentication with other networks that use Kerberos 5.

Authentication in Windows 2000 is more efficient than in Windows NT because Kerberos eliminates the need in NT for a server to check with a domain controller.


Kerberos is a network authentication protocol that allows one computer to prove its identity to another across an insecure network through an exchange of encrypted messages. Once identity is verified, Kerberos provides the two computers with encryption keys for a secure communication session.

Sharing a Secret: How Kerberos Works

Authenticationexchange: The client asks the authentication server for a ticket to the ticket-granting server (TGS). The authentication server looks up the client in its database, then generates a session key (SK1) for use between the client and the TGS. Kerberos encrypts the SK1 using the client's secret key.

The authentication server also uses the TGS's secret key (known only to the authentication server and the TGS) to create and send the user a ticket-granting ticket (TGT).

Ticket-grantingservice exchange: The client decrypts the message and recovers the session key, then uses it to create an authenticator containing the user's name, IP address and a time stamp. The client sends this authenticator, along with the TGT, to the TGS, requesting access to the target server. The TGS decrypts the TGT, then uses the SK1 inside the TGT to decrypt the authenticator. It verifies information in the authenticator, the ticket, the client's network address and the time stamp. If everything matches, it lets the request proceed. Then the TGS creates a new session key (SK2) for the client and target server to use, encrypts it using SK1 and sends it to the client. The TGS also sends a new ticket containing the client's name, network address, a time stamp and an expiration time for the ticket - all encrypted with the target server's secret key - and the name of the server.

Client/serverexchange: The client decrypts the message and gets the SK2.

Finally ready to approach the target server, the client creates a new authenticator encrypted with SK2. The client sends the session ticket (already encrypted with the target server's secret key) and the encrypted authenticator.

Because the authenticator contains plaintext encrypted with SK2, it proves that the client knows the key. The encrypted time stamp prevents an eavesdropper from recording both the ticket and authenticator and replaying them later. The target server decrypts and checks the ticket, authenticator, client address and time stamp. For applications that require two-way authentication, the target server returns a message consisting of the time stamp plus 1, encrypted with SK2. This proves to the client that the server actually knew its own secret key and thus could decrypt the ticket and the authenticator.

Secure communications: The target server knows that the client is who he claims to be, and the two now share an encryption key for secure communications.

Because only the client and target server share this key, they can assume that a recentmessage encrypted in that key originated with the other party.

Editor's note: This description was adapted and considerably simplified from Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Edition, by Bruce Schneier (Wiley, 1995).

Join the newsletter!

Error: Please check your email address.

More about APTMicrosoftMIT

Show Comments

Market Place