The four core requirements defined for the Kerberos authentication protocol are secure, reliable, transparent, and scalable. These requirements dictate how the protocol operates in a distributed network environment to provide strong and efficient authentication for clients and servers.
1. Secure
The primary requirement for Kerberos is to provide a highly secure method for authenticating users and services over an insecure network, such as the internet. It was designed to address the vulnerabilities of traditional network logins, where passwords could be intercepted in plaintext. Kerberos achieves security by:
- Preventing password transmission: Passwords are never sent across the network. Instead, a user's password is used to derive an encryption key, and all authentication messages are encrypted with various keys.
- Using symmetric key cryptography: Kerberos relies on a shared secret key between each entity (client, server, and Key Distribution Center) and uses symmetric encryption to protect all messages. An eavesdropper listening on the network gains no useful information.
- Providing mutual authentication: Kerberos verifies the identity of both the client and the server. This prevents a client from communicating with a counterfeit server and a server from accepting requests from an impersonating client.
- Employing timestamps: To prevent replay attacks, Kerberos tickets and authenticators contain timestamps and have a limited lifetime. This means an attacker who captures a legitimate message cannot re-use it later.
2. Reliable
A system's authentication service must be dependable and always available, as a failure could disrupt the entire network. Kerberos meets this requirement with a distributed server architecture.
- Decentralized administration: While the Key Distribution Center (KDC) is a critical component, its services can be distributed across multiple physical servers. This prevents the entire authentication system from failing if one server goes down.
- Redundancy and failover: In modern implementations, multiple KDCs can exist within a single realm (a group of systems using the same Kerberos database). If the primary KDC fails, clients can fall back to another KDC to ensure uninterrupted service.
3. Transparent
For users, the authentication process should be seamless and not require repeated logins for every new service. Kerberos is designed to be transparent, providing a "single sign-on" experience.
- Single sign-on (SSO): A user logs in once at the start of a session and is granted a special ticket-granting ticket (TGT). For the rest of the session, this TGT is used to automatically request service-specific tickets without requiring the user to re-enter their password.
- User unawareness: After the initial login, the user is unaware that multiple authentication steps are happening behind the scenes. This allows for a smoother user experience compared to logging into every individual application.
4. Scalable
The protocol must be able to support a large and growing number of users and servers without degrading performance. Kerberos is highly scalable.
- Decoupled authentication: The process of getting a service ticket is separate from the initial user authentication. Once a client has a TGT, they can get tickets for new services directly from the Ticket-Granting Server (TGS), without putting a load on the primary authentication server.
- Distributed key management: By centralizing key management on the KDC, application servers do not need to store user passwords. This simplifies administration and allows the network to scale by adding more application servers without increasing the authentication complexity on each one.
- Cross-realm authentication: For very large environments, Kerberos supports multiple, independently administered realms. This allows users in one realm to securely access resources in another realm, making it suitable for federated enterprise environments.