34,333
edits
Changes
→Client Service Request
* Authentication is complete. The server provides the services to the client.
For all its complexity the Kerberos Authentication system is not without a few problems. First and foremost is that fact that the Key Distribution Center acts a single point of failure. If this service is unavailable it will not be possible for users to log into the service.
Secondly, the timestamps used by Kerberos requires that all systems in the process have clocks set to the same time (within 10 minutes of synchronization accuracy).
Finally, the secret keys for all users are stored on a single server which, if compromised, would in turn compromise all user keys.
== Mutual Authentication ==
Version 5 of Kerberos Authentication introduced the concept of ''mutual authentication'' (also known as two way authentication) whereby client and server verify the authenticity of each other. This intended to prevent so-called ''Man in the Middle'' attacks whereby a malicious party inserts itself between a client and server and masquerades itself as each to the other.
Under mutual authentication, one of the two systems creates a challenge code which it transmits to the other system. The second system in turn generates a response using the received challenge code and also creates its own challenge code, and are both transmitted back to the original system. The original system validates the response code and returns its own response code based on the challenge code send from the second system. Once the second system has validated its own response code from the original system it sends an acknowledgment message and authentication is complete.
