In this post, I’m going to attempt to explain Kerberos authentication using a sports analogy.
The Kerberos Game
Imagine you want to go to a sporting event in town.
The sporting event is using a super secure ticket system to make sure people going to the game are who they say they are, and that they are purchasing valid tickets for the game.
To facilitate this ticket system, the local Bank is helping to validate everyone, since in this town they have everyone’s bank passwords.
The 4 main players in this ticket system are:
- The Person (The User)
- The Ticket Booth (The Ticket Granting Server)
- The Ticket Gate (The HTTP Service)
- The Bank (The Authentication Server)
The basic flow of the ticket system is:
- Go to the Ticket Booth and ask for a ticket.
- Ticket Booth uses Bank to confirm your identity, then gives you a ticket.
- Take your ticket to the Ticket Gate
- Ticket Gate uses Bank to confirm your purchase with the Ticket Booth.
- Enjoy the game!
The Ticket Booth
So you go to the Ticket Booth and ask to purchase a ticket to the game. The Ticket Booth asks for your name, before taking your money, because they need to verify your identity. The Ticket Booth sends your name to the Bank requesting a verification of your identity.
Now, as a part of this super secure ticket system, the Bank has agreed that they will NOT send anyone’s password to anyone else. Only you and the Bank know your password, and the same goes for the Ticket Booth and Ticket Gate.
Now let’s pause real quick and explain encrypting and decrypting
- Encrypting is writing something down in a secret language using a key
- Decrypting is using a key to decipher something written in a secret language.
A message written using a key, can only be read by someone with that same key.
Okay, onwards!
Upon receiving your name from the Ticket Booth, the Bank first checks that you and the Ticket Booth are in the Bank’s records and that you both have passwords. The Bank then creates a temporary password called a session key, which we will call the ticket key.
The Bank then writes two messages for the Ticket Booth, Message A and B. Message A has your name and the ticket key, and is encrypted using your password. Message B is almost identical, it also has your name and the ticket key, but is encrypted using the Ticket Booth’s password.
The Bank then gives these messages to the Ticket Booth. Notice that the Ticket Booth can decrypt Message B, but NOT Message A, because Message B was encrypted with the Ticket Booth’s password, and Message A was encrypted with your password, which the Ticket Booth was not given.
BANK SEND Message A & B Message A Message B ╔═your password═╗ ╔═ticket booth password═╗ ║ your name ║ ║ your name ║ ║ ticket key ║ ║ ticket key ║ ╚═══════════════╝ ╚═══════════════════════╝
But the Ticket Booth does not decrypt Message B yet, instead it gives these messages to you and asks you to decrypt Message A to authenticate yourself and then send the Ticket Booth a message with which game you’d like to buy a ticket for.
Looking at the two messages, you decrypt Message A with your password and find your name and the Bank’s ticket key, but you can NOT decrypt Message B, since you do not have the Ticket Booth’s password.
YOU DECRYPT Message A ✓ Message A ✗ Message B ┌─your password─┐ ╔═ticket booth password═╗ │ your name │ ║ your name ║ │ ticket key │ ║ ticket key ║ └───────────────┘ ╚═══════════════════════╝
Decoding Message A and sending the ticket key to the Ticket Booth is enough to authenticate yourself to the Ticket Booth, since the Ticket Booth could decrypt Message B and compare the ticket keys, but you want to make sure that this Ticket Booth is a valid Ticket Booth and not some scammer.
So now it is your turn to write some messages! You are going to write two messages for the Ticket Booth, Message C and D. Message C has your name, and is encrypted using the ticket key (only someone with the ticket key can decrypt it). Message D has the game you want a ticket for, and is not encrypted, but written in plain text (it is not a secret that you want to go to this game)
YOU SEND Message C & D Message C Message D ╔═ticket key═╗ ┌─────────────┐ ║ your name ║ │ game name │ ╚════════════╝ └─────────────┘
Upon recieving your messages, the Ticket Booth first checks that the sporting event in Message D exists and that it has a Ticket Gate. The Ticket Booth then decrypts Message B, finds the ticket key, and uses it to decrypt Message C. The Ticket Booth then compares your name in Message C to your name in Message B; if they match, then you and the Ticket Booth have authenticated yourselves!
TICKET BOOTH DECRYPT Message B ✗ Message A ✓ Message B ╔═your password═╗ ┌─ticket booth password─┐ ║ your name ║ │ your name │ ║ ticket key ║ │ ticket key │ ╚═══════════════╝ └───────────────────────┘ TICKET BOOTH DECRYPT Message C ✓ Message C Message D ┌─ticket key─┐ ┌─────────────┐ │ your name │ │ game name │ └────────────┘ └─────────────┘ TICKET BOOTH COMPARE Names ✓ (Message B(your name)) EQUALS (Message C(your name))
This works because the only way that the Ticket Booth could have decrypted Message C from you, which was encrypted with the Bank’s ticket key, was to decrypt Message B from the Bank, which was encrypted with the Ticket Booth’s password.
And the only way YOU could have gotten the ticket key from the Bank, in the first place, was to be able to decrypt Message A, which was encrypted with your password.
Woah!
The Ticket
But you still need your ticket to get into the game.
Satisfied that you are you, the Ticket Booth asks the Bank to create another session key, that we will call the gate key, and write two more messages, Message E and F. Message E has your name, the Ticket Gate’s name, and the gate key, and is encrypted using the Ticket Gate’s password. Message F has the Ticket Gate’s name and the gate key, and is encrypted using the original ticket key. The Ticket Booth takes these messages and sends them to you as your “ticket” to the game!
BANK SEND Message E & F Message E Message F ╔═gate password═╗ ╔═ticket key═╗ ║ your name ║ ║ gate name ║ ║ gate name ║ ║ gate key ║ ║ gate key ║ ╚════════════╝ ╚═══════════════╝
You now take your “ticket” to the Ticket Gate to finally enter the game (sort of…)
The Ticket Gate
Once you get to the Ticket Gate, they also want to make sure you are you and that you bought that “ticket” from a valid Ticket Booth. They ask you to write them a message using the gate key the Bank created and the Ticket Booth gave you.
You start by decoding Message F using the original ticket key and find the gate key, and similar to before, you write a message, Message G, with your name and encode this message using the gate key.
You then send the Ticket Gate Message G and the message you got from the Ticket Booth, Message E.
YOU DECRYPT Message F ✗ Message E ✓ Message F ╔═gate password═╗ ┌─ticket key─┐ ║ your name ║ │ gate name │ ║ gate name ║ │ gate key │ ║ gate key ║ └────────────┘ ╚═══════════════╝ YOU SEND Message E & G Message E Message G ╔═gate password═╗ ╔══gate key══╗ ║ your name ║ ║ your name ║ ║ gate name ║ ╚════════════╝ ║ gate key ║ ╚═══════════════╝
The Ticket Gate decrypts Message E using it’s password, and finds the gate key, which it uses to decrypt the message you wrote, Message G.
The Ticket Gate then compares your name from Message E and Message G; if they match, then the Ticket Gate has validated that you are you and that you bought this ticket from a valid Ticket Booth!
TICKET GATE DECRYPT Message E ✓ Message E Message G ┌─gate password─┐ ╔══gate key══╗ │ your name │ ║ your name ║ │ gate name │ ╚════════════╝ │ gate key │ └───────────────┘ TICKET GATE DECRYPT Message G ✓ Message E ✓ Message G ┌─gate password─┐ ┌──gate key──┐ │ your name │ │ your name │ │ gate name │ └────────────┘ │ gate key │ └───────────────┘ TICKET GATE COMPARE Names ✓ (Message E(your name)) EQUALS (Message G(your name))
Again, this works becuase the only way that the Ticket Gate could have decrypted Message G from you, which was encrypted with the Bank’s gate key, was to decrypt Message E from the Bank, which was encrypted with the Ticket Gate’s password.
And the only way YOU could have gotten the gate key from the Bank, was to be able to decrypt Message F, which was encrypted with the Bank’s ticket key, which you had because you had authenticated with a valid Ticket Booth.
Woah!!
The Game
So the Ticket Gate is now ready to let you into the game by… creating another message, Message H, which contains the gate’s name and is encrypted using the gate key.
The Ticket Gate sends you this final message.
TICKET GATE SEND Message H Message H ╔══gate key══╗ ║ gate name ║ ╚════════════╝
You decrypt Message H using the gate key, and compare the Ticket Gate’s name from Message H to the Ticket Gate’s name from Message F.
YOU DECRYPT Message H ✓ Message H ┌──gate key──┐ │ gate name │ └────────────┘ YOU COMPARE Gates ✓ Message F ✓ Message H ┌─ticket key─┐ ┌──gate key──┐ │ gate name │ │ gate name │ │ gate key │ └────────────┘ └────────────┘ ✓ (Message F(gate name)) EQUALS (Message H(gate name))
This last step is important because it lets you verify the Ticket Gate is not lying about who it is. Because the only way this Ticket Gate could have written a message encrypted with the gate key was if it was able to decrypt Message E, written by the Bank and encrypted with the Ticket Gate’s password.
And because the Ticket Gate’s name in Message H, written by the Ticket Gate, matches the Ticket Gate name in Message F, written by the Bank, you can be certain that this Ticket Gate is the gate to the game you’ve been dying to go see.
The End!
Resources
For a more techical description of Kerberos, see the Kerberos Protocol Wikipedia page
For a somewhat less technical description (but still pretty technical), see this Blog Post