The authentication protocol Kerberos allows a number of computers to prove their identity among them safely over an insecure network. The operation of the protocol is based on the Needham-Schroeder protocol, which defines a “trusted third party” called Key Distribution Center (KDC). William Stallings in his book Fundamentals of Network Security: Applications and Standards, Second Edition (p.394) defines a KDC as follows:

Authorized system to transmit temporary session key for users. Each session key is transmitted encrypted using a master key that the Key Distribution Center shares with the target user. William Stallings

The KDC can be seen as a set of two logic stages: an authentication server (AS) and an ticket granting server (TGS). The AS has the function to identify each user, validate their identity and give the client a key that allows to communicate with the TGS. Furthermore, the TGS is the responsible server for checking that the client possesses the authentication ticket and provides a key to the user that allows access to the requested services. This scenario is shown in Figure #1.

Figure #1: Components and communication flow of Kerberos protocol.

Kerberos performs a ticket management that allows users to prove their identity and get the keys for a particular service, these keys allow to two entities interact safely. This requires that the protocol perform a proper management of different databases in order to identify users, while maintaining another database of secret keys to assign to each entity, either client or server.

Figure #2 shows the produced messages flow by the Kerberos protocol, which clearly sees the contained information in each sent message between the different entities involved in the key exchange. It should be clarified that the previous communication that should be established between the client and the AS, which gives the user name and password entered by the user on the client, is not shown. However, the ticket management is quite clear.

When the client makes a request to the AS, the AS responds with two messages: the first sends the encrypted key that the client will share with the TGS, and the second packet should be forwarded to the TGS, this package cannot be decrypted by the client and contains information about the validation made by the AS.

Then, the client sends two messages to the TGS: in the first message forwards the packet that has been received from the AS, adding the type of the requested service and the second message is an authenticator which is encrypted with the key generated by the AS for the communication between client and TGS.

Now, the TGS responds to the client with the key that will be sharing with the requested service server and a ticket that only this server can decrypt and that the client must forward. The client forwards the ticket to the service server and also an authenticator encrypted with the provided key by the TGS for the communication, so that, the communication between client and service can be performed in encrypted form with that key.

Figure #2: Message Exchange of the Kerberos protocol.


  1. William Stallings. Fundamentals of Network Security: Applications and Standards, Second Edition. Pearson Education. 2004.