5.2 Kerberos: The basic protocol

The following sections explain the basic Kerberos protocol as it is defined in RFC 1510. Those not familiar with Kerberos may be bewildered by the need for numerous diverse keys to be transmitted around the network. In order to break down the complexity of the protocol, we will approach it in five steps:

• Step 1: Kerberos authentication is based on symmetric key cryptography.

• Step 2: The Kerberos KDC provides scalability.

• Step 3: A Kerberos ticket provides secure transport of a session key.

• Step 4: The Kerberos KDC distributes the session key by sending it to the client.

• Step 5: The Kerberos Ticket Granting Ticket limits the use of the entities master keys.

Before starting to explore how Kerberos works, we must explain the notations that will be used in the illustrations:

• The u stands for user, s stands for resource server, and k stands for KDC.

• S stands for session key; Sus means the session key shared between the user and the resource server.

• M stands for master key; Mu is the master key of the user.

• Drawing (1) in Figure 5.1 represents the session key shared between the user and resource server.

  
  Figure 5.1: Session keys and encrypted session keys.

• Drawing (2) represents the same session key, but this time encrypted.

• Drawing (3) represents the same session key, encrypted using the master key of the user.

To ease reading we will talk about a client, Alice, and a resource server that authenticates using...