Kerberos Third-party Authentication Model

A significantly better authentication model was developed and shepherded through the IETF standards process by staff at MIT a number of years ago -- the Kerberos authentication model. Kerberos addresses each of the major problems identified with the traditional authentication model, albeit at the expense of being significantly more complex than the traditional model.

In overview, the Kerberos authentication model uses one or more trusted authentication servers (termed KDCs or "Key Distribution Centers") to provide third-party authentication services for cooperating systems and applications. In the Kerberos model, client machines acquire authentication credentials (called tickets) from the trusted authentication server(s) which they can subsequently present to systems and applications as proof of authentication and which, due to their being strongly encrypted, can be passed securely over an insecure network.

A typical Kerberos session starts when a user runs software on his local client machine to acquire an initial authentication ticket (termed a ticket-granting ticket). The client later presents the user's ticket-granting ticket to the Kerberos ticket-granting service to acquire a service ticket for the particular system or application the user wishes to use. This service ticket is then presented to the desired service in lieu of a [username,passwd] pair as proof of authentication.

The details of the conversations between a Kerberos client, the KDCs, and the various Kerberized services used by the client are rather complex. Figure III, below, graphically depicts the interactions between cooperating systems involved in the Kerberos model. Click here for a more detailed description of the internal workings (the "magic", if you will) of Kerberos.


Figure III

Next Page