1. Kerberos: An Authentication Service for Open Network Systems
J. G. Steiner, C. Neuman, J. I. Schiller

2. What is Kerberos? Trusted third-party authentication service
Requirements:
Secure (Private Key Encryption)
Transparent (Tickets)
Scalable (Replication)
Reliable

3. Kerberos Authentication Protocols
TGS
Kerberos
Server
1. User Requests TGT
2. Kerberos sends encrypted TGT
3. Client requests Ticket for Service
4. Service returns Session key encrypted ticket
5. Client presents ticket to service
6. (Optionally) Server presents credentials to client
Client

4. Security

5. Transparency Tickets are reusable (authenticators are not)
{s,c,addr,timestamp,life,KS,C}KS
Ticket-granting ticket can occur at login
(8 hour lease), kinit for new TGT
Library calls:
krb_mk_req, krb_rd_req, krb_mk_prv, krb_rd_prv

6. Scalability & Reliability
Slave (Read Only) Authentication Databases
Master Kerberos DB used for (Write) Administration Requests
Entire DB is propagated every hour
Common transactions can take place with replicated (Slave) servers

7. Open Issues & Questions
Ticket Lifetime? (Short-term Playback)
Integrity of workstation programs?
Scalability between realms?
Centralized authentication with Private-Key encryption advantages/disadvantages over Public-Key?