Kerberos
  • Has no connection to PPP
  • Uses UDP or TCP port 88
  • Authentication protocol for TCP/IP networks with many clients all connected to a single authentication server.
  • Cornerstone of Microsoft Windows domain
    • Defers all authentication to a domain controller, usually a Windows server.
  • Key Distribution Center (KDC)
    • Authentication Server (AS)
    • Ticket-Granting Service (TGS)
    • In a Windows server env, this is installed on the domain controller
    • Process:
      1. Clients sends hash of username and password to the AS
      2. The AS compares the results of that hash to its own hash
      3. If they match, sends Ticket-Granting Ticket (TGT) and timestamp
        • In Windows the ticket has a default lifespan of 10 hours
      4. The client sends the TGT to the TGS for authorization
      5. The TGS sends a timestamped service ticket. (AKA access token)
        • The token is the key the client uses to access any single resource on the entire domain.
        • Contains the security identifier (SID) for the user’s account and SIDs for the groups of which the user is a member.
        • Timestamping forces client to request new token every 8 hours. This prevents 3rd parties from intercepting the tokens and attempting to crack them.
  • Weaknesses
    • If KDC goes down, no one has access.
      • Important to have a backup KDC
    • Timestamping requires all clients and servers synchronize their clocks
      • Difficult on dispersed networks