1. Kerberos is an authentication service developed at MIT.
2. It is a trusted ley server system which provides private-key third-party authentication service (i.e a third entity is responsible for authentication of two-people communication)
3. Why Kerberos? : Sending username and password over a network medium jeopardizes the security. Every time a password is sent, there is a chance of intrusion. Using firewalls is also not secure, as firewalls think attacks come from outside network; while the internal network itself can be intruded.
4. Approach: We use the private-key cryptography approach (where both parties use same key..e.g.DES) . We use a third-party who vouches for the identity of both the parties involved in transaction.
5. Working: The working of Kerberos is explained in the following steps.

• User logs into the workstation(PC) and requests for a service of host machine. The user instead of sending its username and password sends plaintext request to Authentication Server (AS)for a Ticket that the user can use to talk to Ticket Granting Server (TGS).

• The AS finds the keys corresponding to the login name and the TGS. The AS creates a ticket which is made up of Ticket $\rightarrow$ {Login Name || TGS Name || Client n/w address || TGS Session key} . The AS encrypts the Ticket using the TGS’s secret-key.

  The AS also at the same time creates a random session-key for the client and the TGS to use. The session-key + Ticket is encrypted with user’s secret-key.

• The user now decrypts using the user’s private-key (Password) . He now possesses the session key and a ticket which he can use to contact the Ticket Granting Server (TGS) (Note: The client cannot see inside the ticket as its encrypted by TGS’ private-key). The user now composes a message to sent to the TGS for a ticket which comprises of

(The earlier ticket was know as Ticket Granting Ticket which was used to get access to TGS. The new ticket that TGS will issue in step-4 will be a Service-Granting-Ticket which can be used to access a Server/Service)

• The TGS on receiving the message decrypts the ticket using it’s secret key . Inside will be the TGS session-key. The TGS decrypts the authenticator using the session key. TGS checks user-id password and Server names are correct.
  It then builds a ticket for client and requested server. The ticket is encrypted with server-key. It also creates a session key and encrypts the entire message with the session-key.

• The User now decrypts the message received from TGS using the TGS session-key. The user now has with him a Session-Key (granting him a certain time-slot duration for accessing the server) and a Ticket (to use the server)

  Using the format used in step-3 , user contacts the Server.

• Server verifies the Authenticator and the Ticket and then grants access to the server .