Kerberos authentication works based on the concepts of ticket creation and use those tickets for identification and getting access. Windows domains and Active Directory are the good examples of using Kerberos and how authentication and access works within windows domain environment.
Before we start giving a real life example we need to define some terms which will help understanding the main 3 steps of Kerberos authentication:
KDC: Kerberos Domain Controller – Responsible for Key distribution
TGT: Ticket-Granting Ticket – An authentication ticket created by KDC
TGS: Ticket-Granting Service – Creating Service-Ticket to access the required sources/servers
Now a real-life scenario:
Imagine you buy a couple of racks in a data center and need to access them on daily bases. The data center has a head office with multiple data center locations, and you have a rack in each location. Data centers are shared facility with lots of other customers and secured with gates, prevention and monitoring controls. Here are the steps:
1- You need to identify yourself to the head office (KDC) with providing proof of identity including, government identification with picture as well as your sales and contract documents with the data center
2- Head office will create an identification card for you with an expiry date, which has an encrypted chip which can only be read by themselves. (TGT)
3- You will send a request to access the racks and locations that you need. They check and make sure you are allowed and add additional access requirement data to your encrypted chip on your card. (TGS)
4- You will then go to the data center locations and use your card to enter and access your racks.
5- Your identification card chip is read by the data center (They can decrypt the data as they have the password and encryption keys), and once realize the access is allowed by head office, they let you in.
6- You can now access your own racks and resources within any of those data center locations.
7- Once you reach the expiry date on the ID issues by head office, you have to start the whole process from step 1 again to get a new card or extend the ID.
No comments:
Post a Comment