<\/p>\n
Kerberos Overview<\/h1>\nComponents<\/h2>\n
KDC Key distribution center<\/p>\n
- \n
- AS – Authentication Service<\/li>\n
- TGS – Ticket Granting Service<\/li>\n<\/ul>\n
Client<\/p>\n
- \n
- Could be a User’s PC<\/li>\n
- Could be a service that wishes to access another<\/li>\n<\/ul>\n
Server<\/p>\n
- \n
- What the client requires access to.<\/li>\n<\/ul>\n
Keys<\/h2>\n
- \n
- Long Term Keys\n
- \n
- Synonymous with Passwords<\/li>\n
- TGS ltk for the Ticket Granting Service<\/li>\n
- Service ltk for the service to be connected to<\/li>\n
- User ltk<\/li>\n<\/ul>\n<\/li>\n
- Session Keys (Short-Term Keys)\n
- \n
- Service Session key\n
- \n
- Limited lifetime<\/li>\n
- Unique for the Client’s connection to the service.<\/li>\n<\/ul>\n<\/li>\n
- TGS Session key\n
- \n
- Associated with the Client’s connection with the TGS.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Protocol Overview<\/h2>\n
Authentication Service Request<\/h3>\n
Initial Authentication<\/strong> (Not sure about this part)<\/p>\n
Client to AS: This is my ID in clear text<\/p>\n
AS to Client: Preauth error – You need to authenticate!<\/p>\n
KRB_AS REQ<\/strong>: Initial request from the Client (User) to the Authentication Service<\/p>\n
- \n
- Authenticator encrypted with the User’s LTK\n
- \n
- Information about who is requesting authenticating<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
KRB_AS_REP<\/strong>: Authenication Service to Client response<\/p>\n
- \n
- TGS Session Key encrypted using the User LTK\n
- \n
- Use this to talk to the TGS for a limited time.<\/li>\n<\/ul>\n<\/li>\n
- TGT (Ticket Granting Ticket) encrypted with the TGS LTK\n
- \n
- Client ID<\/li>\n
- Client IP address<\/li>\n
- Ticket validity period (sounds like a TTL)<\/li>\n
- TGS Session Key (copy of same above)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Ticket Granting Service Request<\/h3>\n
KRB_TGS_REQ<\/strong>: Client to Ticket Granting Service request<\/p>\n
- \n
- Authenticator encrypted with TGS Session Key\n
- \n
- Can be decrypted with the Session key sent from the AS<\/li>\n<\/ul>\n<\/li>\n
- TGT encrypted with the TGS LTK\n
- \n
- This is decrypted first so the TGS can extract the data in the Authenticator.<\/li>\n
- This allows the TGS to NOT need to keep copies of these keys.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
KRB_TGS_REP<\/strong>: TGS to Client response<\/p>\n
- \n
- Service Session Key encrypted using the TGS Session Key (Client has this)<\/li>\n
- Service Ticket encrypted with the Service’s LTK\n
- \n
- Client ID, IP, TTL<\/li>\n
- Service Session Key<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Client\/Service Authentication Request<\/h3>\n
KRB_AP_REQ*<\/strong>: Client to Service request<\/p>\n
- \n
- Authenticator encrypted with the Service Session Key<\/li>\n
- Service Ticket encrypted with the Service’s LTK<\/li>\n<\/ul>\n
KRB_AP_REP*<\/strong>: Service to Client response (optional?)<\/p>\n
- \n
- Authenticator encrypted with the Service Session Key\n
- \n
- Allows the client to know they’ve connected to the right service!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
* These services are unlikely to be viewed via WireShark directly because they are often wrapped\u00a0 within different protocols, such as GSSAPI.<\/p>\n
Delegating \/ Forwarding Authentication<\/h1>\n
- Allows the client to know they’ve connected to the right service!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- Authenticator encrypted with the Service Session Key\n
- Authenticator encrypted with TGS Session Key\n
- TGS Session Key encrypted using the User LTK\n
- Information about who is requesting authenticating<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- Authenticator encrypted with the User’s LTK\n
- Associated with the Client’s connection with the TGS.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- Service Session key\n
- Long Term Keys\n
- What the client requires access to.<\/li>\n<\/ul>\n
![\"\"](\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/03\/Kerberos-Forwarding-Authentication.png\")
<\/a><\/p>\n![\"\"](\"http:\/\/wiki.thomasandsofia.com\/wp-content\/uploads\/2020\/03\/Kerberos-Cross-Realm-Authentication.png\")
<\/a><\/p>\n