Kerberos: An Authentication Service for Computer Networks

Notes by Ralph Benzinger, 1999.  Cut and pasted some funny symbols from notes by Kevin LoGuidice, 1998.



The Kerberos Protocol



Basic Authentication Protocol

  1. Client -> AS: c, s
  2. AS -> Client: {Kc,s, s}Kc, {Tc,s}Ks
  3. Client -> Server: {Ac}Kc,s, {Tc,s}Ks
  4. Server -> Client: {ts+1}Kc,s (optional)

Complete Authentication Protocol

  1. Client -> AS: c, tgs
  2. AS -> Client: {Kc,tgs, tgs}Kc, {Tc,tgs}Ktgs
  3. Client -> TGS: {ts}Kc,tgs, {Tc,tgs}Ktgs, s
  4. TGS -> Client: {Kc,s, s}Kc,tgs, {Tc,s}Ks
  5. Client -> Server: {Ac}Kc,s, {Tc,s}Ks
  6. Server -> Client: {ts+1}Kc,s (optional)

Cross-Realm Authentication Protocol



  1. Who were the Greeks who escaped from Hades, and what did they use to get past Cerberus?
  2. How does Kerberos compare to PGP?
  3. Are there better ways to repel replay attacks?
  4. Is password-based security still state of the art?