What Are the Advantages of Kerberos Authentication?

By Laura Gittins

Kerberos authentication allows for encrypted communication on open networks.
i Ryan McVay/Photodisc/Getty Images

Kerberos is a network authentication protocol that uses encrypted tickets to pass information over nonsecure networks. Kerberos authentication presents several advantages over other network authentication methods, so that the nodes communicating with each other can trust that the information they're receiving is authentic and reliable, and that future sessions will have the same authenticity.

Mutual Authentication

When two nodes -- such as a client and server or server and server -- begin communications, they pass encrypted tickets through a trusted third-party system called the Key Distribution Center. The KDC passes a secret ticket with a decryption key to both nodes. The nodes then pass encrypted time stamps to each other and use the key to decrypt them. If they do so successfully, they authenticate their counterparts and can trust each other for as long as the session remains open.

Passwords

When a server attempts to authenticate a client computer using the Kerberos protocol, the client does not have to send a password -- thanks to the mutual authentication, both the client and the server have the necessary information needed to decrypt the tickets. This means that any packet sniffers eavesdropping on the communication will not have access to client or server passwords, let alone any other information passed during the session.

Integrated Sessions

When a client node is authenticated on a Kerberos-supported network, it receives a client ticket with an expiration time stamp. As long as the ticket has not expired, the client can use it to access to any other network service that supports Kerberos authentication without having to re-authenticate itself. If the client's session on the network is still active but the ticket expires, the client may request a new ticket.

Renewable Sessions

Once a client and server have authenticated themselves to one another, they never have to do so again. As part of the mutual authentication, the client receives credentials from the server. When the client initiates a future session, it sends its credentials to the server, which recognizes them and immediately authenticates the client. This eliminates the need for a KDC, so the two nodes can establish a secure connection even faster than they did during their first session.

×