Network service authentication: Kerberos

Kerberos (named after the three-headed dog guarding the entrance to Hades in Greek mythology) is a network authentication protocol developed at the Massachusetts Institute of Technology (MIT) that became a standard implementation in UNIX systems and networking equipment.

It is designed to provide strong authentication for client/server applications by using secret-key cryptography. In a typical modern IT infrastructure, geographically dispersed users request different services from servers deployed in other locations.

When a server receives a request from a user, it could trust the originating desktop machine to have properly authenticated the user before providing the service requested. That could be acceptable in a closely controlled environment, but is not reasonable in an open network.

If the other machines cannot be trusted, a server should require a separate authentication process where users are forced to prove their identity and privileges every time before accessing the service.

This process is inconvenient and generates a large number of authentication transactions on the network, which can unnecessarily expose user names and passwords.

The objective of the Kerberos protocol is to minimize the exchange of user name and password information over the network when a user requests services from the network. This is accomplished by the implementation of a third-party authentication service.

Kerberos keeps a database of the clients and users and the respective secret keys and encrypted passwords. Both network services and clients/users wishing to use those services have to register with the Kerberos server.

Because it knows these private keys, Kerberos can generate messages that convince each party of the identification of the other party.

Kerberos also generates temporary private keys (or session keys, a.k.a., tickets) given only to the two parties participating in a transaction, which is used to encrypt messages between them.

More information on Kerberos can be found at