Ah yes, the three headed dog… This came out of the Common Body of Knowledge for a while, but now it’s back, so we’ll need to understand it.
The three heads refer to the three systems: the principal (user), requesting system or key distribution center (KDC which can have both TGS and AS), and the destination file/application server. The tickets are encrypted with symmetrical encryption, and the key distribution center has the symmetric keys.
The way this works is that the principal logs into the key distribution center. The device sends a password hash to the KDC authentication service (AS), which after verifying, sends the user’s device a ticket from the ticket granting service (TGS). These tickets (ticket granting ticket, or TGT) are used to establish trust on the network. The TGT lasts 5 minutes to prevent replay. After the authentication to the KDC’s AS, the TGT is sent to both the user and to the ticket granting service, authorizing further interactions. The TGT is encrypted with a symmetric key that’s pre-shared between the AS and TGS.
The TGS then issues another ticket, the session ticket (ST) that’s encrypted with a different key that’s only known by the TGS and the resources/servers. Session tickets are valid between 8 and 10 hours, so the user who wants to access an application or file server will send the session ticket to the server, who then decrypts that session ticket using the 2nd symmetric key from the TGS to validate permissions. Tickets are kept in something called the Kerb tray, which is a non-pageable area of memory.
Lastly, Kerberos itself doesn’t encrypt the transmissions – some implementations can actually do that, but ISC2 is saying that it’s no good for securely transmitting data.
We understand that this is not confusing at all and super easy to understand! (Sarcasm)
We hope to provide some further illustrations on how Kerberos actually works, so please stay tuned. If we cannot find an external video we will create one for you.
(Note: a lot of articles and videos have conflicting information, so be warned).