Kerberos 5

• Requires use of a Trusted Third Party (KDC)
• Protocol described in RFC 1510
• Simplified theoretical description, A wants to talk to B:
  • A sends {A,B} to T
  • T generates session key K, sends {E_A(K,B),E_B(K,A)} to A
  • A decrypts E_A(K,B), sends {E_K(A,t),E_B(K,A)} to B
  • B decrypts E_B(K,A), decrypts E_K(A,t) (authenticates A to B)
  • B sends E_K(B,t) to A (authenticates B to A)
• How does this provide single sign on?
  • KDC composed of two components,
    • Authentication Service (AS)
    • Ticket Granting Service (TGS)
  • T above is the AS
  • B above is the TGS
• How this works in practice:
  • kinit
  • telnet -x