I've tried to figure out how kerberos authentication works, the information which I found was always missing something as if a part of it was taken for granted. I am aware of the process in general but missing some details.
Getting TGT:
First a user should get a TGT (Ticket Granting Tickets) from the KDC - the user sends a request with only it's user name (UPN) and without it's password. Some extra information is given to prevent a resent of the request such as ip address and a timestamp. If preauthentication is required then the time is hashed with the user's password.
The KDC is sending the user back the following: A. TGT - with a timestamp, user name, ip address and a session key - the TGT is encrypted with a secret only the KDC knows and therefore cannot be changed by anyone.
B. Session key for the user and the KDC to be used in later communication. Those things are encrypted using the users password (a basic shared secret amongst the KDC and the user). In case a preauthentication was used the server will check if the timestamp was valid before sending the information back.The users receive the information and decrypt it using it's password - and then stores it in it's memory (kerberos tray).
Getting TGS:
When the user is requested to authenticate itself from a service he sends a request to the KDC for a TGS (Ticket Granting Service), the request contains the TGT, UPN and the SPN (Service Principal Name - say, the URI of a webpage).
The KDC then decrypts the TGT and validate it's authenticity, that it is corresponds with the UPN, from the same IP address and still valid (the ticket has an effective time period).
The KDC sends a TGS to the user encrypted with the service password.
The user presents the TGS to the service - which decrypts it using it's own password.
The authentication is complete since the service counts on the fact that it's password is only shared between it and the KDC so it trusts that the KDC authenticated the user earlier.
A few questions:
Am I missing something or that's it?
When does the user and the KDC ever use the session key? At what point? Why is it necessary? Why does the user password isn't enough?
There should also be a session key between the user and the service (to the best of my knowledge) - when and why is it used (same as the last question)?
Kerberos has a 5 minute gap limitation between all parties - I understand why keeping the time in sync is important since it is used as something that we encrypt and decrypt so how come any gap is OK? Why 5 minutes?
I'll be glad for any corrections if you have.
Thanks in advance, Tomer