Kerberos [RFC4120] is a widely deployed authentication system. The authentication process in Kerberos involves principals and a Key Distribution Center (KDC). The principals represent users and services registered in a Kerberos realm. The KDC maintains a database of principals and shares a secret key with each one of them.

In order to access an actual service, the client must submit valid Kerberos credentials to the service. In the following, we present the Kerberos credentials and explain how they are used to authenticate users to services.

the client must submit credentials that consist of two components referred to as Ticket and Authenticator. A Ticket is a message encrypted using the secret key of the desired service. It contains information about the client and a secret session key. When a service receives a ticket, it can decrypt it using its secret key and obtain the secret session key. In order to prove its identity, the client must prove that it knows the session key included in the ticket. This is done by means of the Authenticator which contains information about the client and must be encrypted using the secret session key. The service authorizes the client after successfully decrypting and validating the authenticator using the secret session key obtained from the ticket.

In summary, the client must obtain a Ticket and the associated secret session key (needed to build the Authenticator) from the KDC in order to access a certain service.

The Kerberos protocol specifies three exchanges, the Authentication Server (AS) exchange, the Ticket Granting Service (TGS) exchange and the Client Server (AP) exchange.

The AS exchange allows the client to get credentials that it can use to prove its identity to the KDC. These realm specific credentials consist of a Ticket referred to as Ticket Granting Ticket (TGT), and the associated session key (referred to as TGT session key). The As exchange is initiated by the client by issuing an AS Request message (AS-REQ), to which the KDC replies with an AS Reply message (AS-REP) containing the TGT and the session key encrypted using the client's secret key.

The TGS exchange, on the other hand, allows the client to authenticate to the KDC using the TGT and obtain a Ticket for the desired service. For that the client issues a TGS Request message (TGS-REQ) that contains the TGT and an Authenticator. The TGS-REQ also contains the name of the service that the client wants to access. After validating the TGT and the Authenticator, the KDC issues a Ticket for the client and sends is along with the associated session key in a TGS-REP message. The newly generated session key is protected using the TGT session key shared between the client and the KDC.

The AP exchange takes place between the client and the service to authenticate the client before granting it access to the resources. The client initiates the authentication by issuing an AP Request message (AP-REQ) that contains a Ticket for the service and an Authenticator. After validating the credentials the service authorizes the client, and optionally send an AP Reply message (AP-REP) to perform mutual authentication.