What is Kerberos?

Kerberos is a protocol designed to ensure secure communication over a non-secure network. It is used to protect against eavesdropping and man-in-the-middle attacks.

The protocol involves:

  • Client: The person trying to connect to a service.
  • Server: The server that hosts the service.
  • Authentication Server (AS): Authenticates the client. If the client is authenticated, a TGTTicket Granting Ticket is generated that proves the client is authentic.
  • Ticket Granting Server (TGS): An application server that issues service tickets.
  • Key Distribution Center (KDC): A single server that hosts the Database, Authentication Server, and the TGS.

The Kerberos makes use of three types of keys:

  • Client/user secret key: The hash generated by the user’s password.
  • TGS secret key: The hash of the password required to determine the ticket-granting server.
  • Server secret key: The hash of the password used to determine the server offering the service.

Here are the steps that describe how a Kerberos protocol works:

svg viewer

  1. The user enters the login credentials and the client secret key is generated.

  2. The client asks the Authentication server for a TGT by sending the client ID.

  3. The Authentication server checks for the availability of the client and TGS in the database. If found, the client secret key is generated using the user password from the database as well as a TGS secret key. A session key (SK1) is generated and encrypted using the client secret key. A TGT is generated containing client ID, client network address, lifetime, timestamp, and SK1( which is encrypted using TGS). The SK1 and TGT are sent to the client. The message, however, is encrypted using the client secret key.

  4. The client decrypts the message using the client secret key, which is generated from the user entered password. An authenticator is generated that contains the client ID, client network address, and client machine timestamp, all of which is encrypted using SK1. The client sends the authenticator and TGT to the ticket-granting server.

  5. The TGS decrypts the TGT using the TGS secret key and extracts the SK1. The SK1 is used to decrypt the authenticator – it validates the expiration of TGT and checks if the information from TGT and the authenticator match. Then, it creates a service session key(SK2). This key is the secret shared between the client and the TGS. A service ticket containing client ID, client network address, timestamp, and SK2 is generated. This is encrypted with the server secret key that was obtained from the database. SK2 and service tickets are sent to the client after being encrypted with SK1.

  6. The client decrypts the message using SK1 and extracts SK2. A new authenticator that contains client ID, client network address, and timestamp is generated. This authenticator is then encrypted with SK2. The authenticator and service ticket are sent to the target server.

  7. The target server decrypts the service ticket with the secret key. SK2 is extracted and used to decrypt the authenticator. The same checks are applied, and the server sends a message that consists of a timestamp (plus 1) and is encrypted with SK2. This step confirms that both the client and the server have been authenticated.

Free AI Mock Interviews
Coding Interview
Coding PatternsFree Interview
Gain insights and practical experience with coding patterns through targeted MCQs and coding problems, designed to match and challenge your expertise level.
System Design
You TubeFree Interview
Learn to design a video streaming platform like YouTube by tackling functional and non-functional requirements, core components, and high-level to detailed design challenges.

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved