Kerboros protocol explanation

table of Contents

Protocol overview

This agreement is named after the character Kerberos (or Cerberus) in Greek mythology, who is a ferocious three-headed guard dog of Hades in Greek mythology.
Kerberos is a network authentication protocol whose design goal is to provide powerful authentication services for client/server applications through a key system. The realization of the authentication process does not depend on the authentication of the host operating system, does not require the trust based on the host address, does not require the physical security of all hosts on the network, and assumes that the data packets transmitted on the network can be arbitrarily read, modified and inserted. . Under the above circumstances, Kerberos, as a trusted third-party authentication service, performs authentication services through traditional cryptographic techniques (such as shared keys).

Principle introduction

The authentication process is as follows: the
client sends a request to the authentication server (AS), asking for the certificate of a certain server, and then the response of the AS contains these certificates encrypted with the client's key.

The composition of the certificate is:

(1) The server "ticket"; (2) A temporary encryption key (also known as the "session key").
The client transmits the ticket (including the client's identity encrypted with the server key and a copy of the session key) to the server. The session key can be used (now shared by the client and the server) to authenticate the client or the authentication server, and can also be used to provide encryption services for future communications between the communicating parties, or to provide further communication between the communicating parties by exchanging independent sub-session keys. Communication encryption service.
The above authentication exchange process requires read-only access to the Kerberos database. But sometimes, the records in the database must be modified, such as when adding a new rule or changing the rule key. The modification process is completed through the agreement between the client and the third-party Kerberos server (Kerberos manager KADM). The relevant management agreement will not be introduced here. In addition, there is also a protocol for maintaining multiple copies of the Kerberos database. This can be considered as a detailed issue in the execution process and will continue to change to adapt to various database technologies.

Insert picture description here

Detailed certification steps:

(1), the client client sends the user name, address, and time stamp information of the login client to the AS authentication server to generate a ticket license ticket (TGT) + session key (sessionKEY);

(2) After the AS server receives the client's request, the KDC server generates a random session key (session key) to obtain the key K, and encrypts the session key (session key) with the NTLM hash of the client logged in user Key A, the NTLM hash of the KDC server user encrypts the session key (session key) client information (client info), timestamp (timestamp) and other information to obtain the TGT, and finally the session key (key1) A and TGT are together Sent to the client;

(3) The client uses the NTML hash of the client account to decrypt the received request key A to obtain the (session key) key K, and the decrypted key K is for the client information (client info) , Timestamp (timestamp) is encrypted to obtain B, and finally the key (key2) B ​​and TGT are sent to TGS;

(4) After receiving the client's request, TGS uses KDC's NTLM Hash to decrypt the TGT to obtain the Session Key, timestamp (timestamp) and client-related information (Client Info), and use the Session Key decrypted by the TGT to decrypt the ciphertext B , Get the timestamp (timestamp) and client-related information (Client Info). After comparing these two decryption, a new session key (session key) will be randomly generated, and the timestamp (timestamp) and client-related information (Client Info) will be encrypted with the generated new session key to obtain the ciphertext C, Use the NTML hash of the TGS server to encrypt the new session key (session key) and (timestamp) and client-related information (Client Info) cipher text C to obtain the final ticket (Ticket), namely ST (Service Ticket), and finally send it together To the client;

(5) The client finally requests the service directly from the service ticket ST (Service Ticket) and the ciphertext C;

(6) Authentication authorization is performed after service ticket ST (Service Ticket) and ciphertext C are decrypted.

Give a chestnut

Little K and Little J, the couple (clients) who want to travel by high-speed rail, need to buy a ticket first, and the ticket must be authenticated by the conductor (AS authentication server). After the authentication is completed, the conductor will give them a train. Tickets (tickets and secret keys). When you arrive at the ticket gate, you need to check the tickets (TGS ticket authorization server). After the ticket check is completed, you will give them a train ticket (return the ticket and the secret key), and you can pass through with the permission of the ticket checker. Well, the young couple take a train ticket to travel (SS server).

Related nouns

AS (Authentication Server) = authentication server
KDC (Key Distribution Center) = key distribution center
TGT (Ticket Granting Ticket) = ticket granting ticket, ticket
ST (Service Ticket) = service authorization ticket
TGS (Ticket Granting Server) = ticket Authorization server
SS (Service Server) = specific service provider