Table of contents
4.1 Client and Authentication Service
4.2 Client and Ticket Granting Service
Kerberos is a computer network authorization protocol used to authenticate personal communications in a secure manner in a non-secure network. The term in turn refers to a suite of computer software developed by the Massachusetts Institute of Technology for this protocol.
Kerberos
Kerberos is an authentication protocol based on encrypted Ticket. Kerberos is mainly composed of three parts: Key Distribution Center (KDC), Client and Service. The approximate relationship is shown in the figure below:
Kerberos model
Based on Needham-Schroeder's trusted third-party protocol, using DES encryption (other algorithms can also be used), it shares a different secret key with each entity on the network, and knowing the secret key is the proof of identity.
Kerberos has a database of all clients and secret keys , and since Kerberos knows everyone's secret key, it can generate a message that one entity verifies the identity of another . Kerberos can also generate session keys for use by only one client and one server (or two clients). The session key is used to encrypt the communication messages between the two parties, and the session key will be destroyed after the communication is completed.
The Kerberos protocol is as follows:
-
The client requests a ticket granting ticket (TGT, Ticket Granting Ticket) from Kerberos as a ticket granting service (TGS, Ticket-Granting Service), and the ticket is encrypted with the user's secret key and sent to the user;
-
In order to use a specific server, the client needs to request a ticket from TGS , and TGS sends the ticket back to the client;
-
The client presents this ticket to the server and the authenticator, and if the client's identity is in question, the server gives the client access to the service.
3. Basic concepts of Kerberos
3.1 Basic concepts
- Principal: It can be roughly regarded as the username in the Kerberos world, used to identify the identity. The principal mainly consists of three parts: primary, instance (optional) and realm. The principal containing the instance is generally used as the principal of the server, such as: NameNode, HiverServer2, Presto Coordinator, etc.; the principal not containing the instance is generally used as the principal of the client for identity authentication. An example is shown in the figure below:
- Keytab: "Password". A file containing multiple principals and passwords, which users can use for authentication.
- Ticket Cache: After the client interacts with the KDC, the file containing identity authentication information is valid for a short period of time and needs to be constantly renewed.
- Realm: A namespace in the Kerberos system. Different Kerberos environments can be distinguished by realm.
3.2 KDC
Key Distribution Center (KDC), the core component of Kerberos, mainly consists of three parts:
- Kerberos Database: Contains all principals, passwords and other information in a Realm. (Default: BerkeleyDB)
- Authentication Service (AS): Perform user information authentication and provide Ticket Granting Tickets (TGT) to the client.
- Ticket Granting Service(TGS): Verify TGT and Authenticator, and provide Service Tickets to clients.
4. Principle of Kerberos
Before understanding the principles of Kerberos in depth, let me introduce several major premises of the Kerberos protocol to help you understand:
1. Kerberos implements identity authentication based on Ticket instead of password. If the client cannot use the local key to decrypt the encrypted Ticket returned by the KDC, the authentication will fail.
2. The client will interact with the Authentication Service, Ticket Granting Service and the target Service in turn , a total of three interactions.
3. When the client interacts with other components, it will obtain two pieces of information, one of which can be decrypted by the local key, and the other cannot be decrypted.
4. The target service that the client wants to access will not directly interact with the KDC, but will be authenticated by whether it can correctly decrypt the client's request.
5. The KDC Database contains the passwords corresponding to all principals.
6. The information encryption method in Kerberos is generally symmetric encryption (can be configured as asymmetric encryption).
Next, we will take the client accessing the http service as an example to explain the whole authentication process.
4.1 Client and Authentication Service
In the first step, the client passes kinit USERNAMEor other means, the client ID, target HTTP service ID, network address (may be a list of IP addresses of multiple machines, if you want to use it on any machine, it may be empty), and TGT Information such as the lifetime of the validity period is sent to the Authentication Service.
In the second step, Authentication Server will check whether the client ID is in the KDC database.
If the Authentication Server check operation is normal, the KDC will randomly generate a key for the client to communicate with the Ticket Granting Service (TGS). This Key is generally called TGS Session Key. Authentication Server will then send two messages to the client. The schematic diagram is as follows:
One of the messages is called TGT, which is encrypted by the key of TGS and cannot be decrypted by the client, including client ID, TGS Session Key and other information. The other message is encrypted by the client key, and the client can decrypt it normally, including the target HTTP service ID, TGS Session Key and other information.
In the third step, the client uses the local key to decrypt the second message. If the local key cannot decrypt the information, then the authentication fails. The schematic diagram is as follows:
4.2 Client and Ticket Granting Service
At this time, the client has TGT (because there is no TGS key locally, its data cannot be decrypted) and TGS Session Key.
In the fourth step, the client will:
- "Brainless" forwards the TGT (encrypted by the TGS key ) sent by the AS to the TGS
- Send the Authenticator (encrypted by TGS Session Key ) containing its own information to TGS
In the fifth step, TGS will use its own key to decrypt the TGS Session Key from the TGT , and then use the TGS Session Key to decrypt the client's information from the Authenticator.
4.3 Client and HTTP Service
At this time, the client has the HTTP Ticket (because there is no key for the HTTP service locally, its data cannot be decrypted) and the HTTP Session Key.
In the seventh step, the client will:
- "Brainless" forwards the HTTP Ticket (encrypted by the HTTP key ) sent by the AS to the target http service.
- Send the Authenticator (encrypted by the HTTP Session Key ) containing its own information to the http service.
5. Advantages of Kerberos
- Passwords do not need to be transmitted over the network. Identity authentication is implemented based on Ticket to ensure key security.
- Two-way authentication. During the entire authentication process, not only the client needs to be authenticated, but the service to be accessed also needs to be authenticated.
- high performance. Once the Client obtains the Ticket that has been used to access a certain Server, the Server can verify the Client based on the Ticket without the need for KDC to participate again.