Thursday, September 29, 2011

Daily Question: How kerberos works?

Daily Question: How kerberos works?

A Mutual Authentication Process built on top of tickets.The core idea behind Kerberos is that you don't hand out your account password to each service you want to use. Instead, you keep all of your tickets on your local system and only show each service a ticket specifically for that service, one that can't be used for any other purpose.

When you first start using your system, you use your password to get a master ticket called a TGT (ticket-granting ticket). This master ticket expires in certain time period, after which you will need to enter your password again to get another one. 

Whenever you go to a service that uses Kerberos, you show that master ticket to the Kerberos server and get a ticket specifically for that service. Then, you show the ticket just for that service to the service to prove who you are. All of those tickets are stored on your local system in what is called a ticket cache.

Using your password is like using a birth certificate, citizenship, or immigration papers to prove who you are. They contain all the information required to steal your identity. You don't want to present them every time someone needs to identify you. Instead, you use those papers to get an identification card (a passport, a driver's license, a state ID card, or a Stanford ID card). That ID card is like a Kerberos TGT. You can then use that ID card to prove your identity and get other identifiers indended for specific situations: a movie ticket or a pre-paid phone card, for example. Single-purpose identifiers like movie tickets are similar to Kerberos service tickets.

No comments:

Post a Comment