Databases Reference
In-Depth Information
Figure 4.A
Conceptual steps in
Kerberos
distributed
authentication
authorization layer. Notice that the client did not pass the password (or its
key) to the server at any point in time.
In reality, Kerberos authentication is more complex than the flow shown
in Figure 4.A. For example, in addition to the AS, Kerberos uses another
server called the Ticket Granting Server (TGS), which together with the AS
are called the Key Distribution Center (KDC). When a client wants to con-
nect to a server, it first connects to the AS and requests to be authenticated
with the TGS. It gets a ticket from the TGS (called the Ticket Granting
Ticket, TGT). Every time the client wants to connect to a server, it requests
a ticket from the TGS (and not the AS), and the reply from the TGS is not
encrypted using the client's key but rather using the session key inside the
TGT. I did not show this step in the flow shown in Figure 4.A, and Ker-
beros flows can be even more complex (e.g., in the context of cross-realm
authentication), but all this is beyond the scope of this topic.
Search WWH ::
Custom Search