Kerberos is a trusted third-party authentication application layer service (Layer 7 of the OSI model).

Kerberos is a secret-key network authentication protocol developed at the Massachusetts Institute of Technology (MIT) that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. In the Kerberos protocol, this trusted third party is called the key distribution center (KDC).

Figure 5-4 displays the Kerberos authentication process when a remote client initiates a remote Telnet session. (Kerberos supports Telnet, rlogin, rsh, and rcp.)

Figure 5-4 Authentication Service with Kerberos

Figure 5-4 Authentication Service with Kerberos

Kerberos's primary use is to verify that users and the network services they employ are really who and what they claim to be. To accomplish this, a trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in a user's credential cache and can be used in place of the standard username/password authentication mechanism.

The Kerberos credential scheme embodies a concept called single logon. This process requires authenticating a user once, and then allows secure authentication (without encrypting another password) wherever that user's credential is accepted.

Timestamps (large numbers representing the current date and time) have been added to the original Kerberos model to aid in the detection of replay attacks. Replay attacks basically reply to data flow with an unauthorized source attempting to gain access to a host. During the packet flow exchange, critical parameters exchanged are the client's name, the IP address, and the current workstation time. System time must be accurate to ensure replay attacks are avoided or, at the very least, detected, and the Kerberos session terminated.

NOTE Starting with Cisco IOS Release 11.2, Cisco IOS Software includes Kerberos 5 support, which allows organizations already deploying Kerberos 5 to use the same Kerberos authentication database on their routers that they already use on their other network hosts (such as UNIX servers and PCs).

Table 5-5 summarizes the key concepts of Kerberos.

Table 5-5 Features of the Kerberos Protocol

Table 5-5 summarizes the key concepts of Kerberos.

Table 5-5 Features of the Kerberos Protocol



Packet delivery

A number of ports are defined: TCP/UDP ports 88, 543, 749, and TCP ports 754, 2105, and 4444.

Packet encryption

Supports username/password encryption.

Telnet support

Telnet sessions can be encrypted.

Table 5-6 defines common Kerberos terminology.

Table 5-6 Kerberos Terminology

Table 5-6 defines common Kerberos terminology.

Table 5-6 Kerberos Terminology




A general term that refers to authentication tickets, such as ticket granting tickets (TGTs) and service credentials. Kerberos credentials verify the identity of a user or service. If a network service decides to trust the Kerberos server that issued a ticket, it can be used in place of retyping in a username and password. Credentials have a default lifespan of eight hours.


An authorization level label for Kerberos principals. Most Kerberos principals are of the form [email protected] (for example, [email protected]). Note that the Kerberos realm name must be in uppercase characters.


Applications and services that have been modified to support the Kerberos credential infrastructure.

Kerberos realm

A domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is trusted to verify a user's or network service's identity to another user or network service. Kerberos realms must always be in uppercase characters. TCP fragmentation must also be defined on the key distribution center (KDC) server. The Kerberos realm is also used to map a DNS domain to a Kerberos realm.

continues continues

Table 5-6 Kerberos Terminology (Continued)



Kerberos server

A daemon running on a network host. Users and network services register their identities with the Kerberos server. Network services query the Kerberos server to authenticate to other network services. Also known as the Master Kerberos server.

Key Distribution Center (KDC)

A Kerberos server and database program running on a network host.


Also known as a Kerberos identity, this is who you are or what a service is according to the Kerberos server.

Service credential

A credential for a network service. When issued from the KDC, this credential is encrypted with the password shared by the network service and the KDC, and with the user's TGT.


A password that a network service shares with the KDC. The network service authenticates an encrypted service credential using the SRVTAB (also known as a KEYTAB) to decrypt it.

Ticket Granting Ticket (TGT)

A credential that the KDC issues to authenticated users. When users receive a TGT, they can authenticate to network services within the Kerberos realm represented by the KDC.

0 0

Post a comment