How is the initial request made to the Access Server in Kerberos?



  • I'm trying to understand how Kerberos works, in particular how the initial client sends a request to the Access Server. Some YouTube videos I've seen say the initial request is partially encrypted using the client's password. First, what is meant by "partially" encrypted? Second, considering a password is just an arbitrary string I didn't think it could be used as a symmetric key. Can any string be a symmetric key? I thought it's a special process to derive keys.

    In another video I heard the message is not encrypted but a nonce is used to prevent a replay attack. If this is the case, how exactly does a nonce prevent a replay attack? The initial request must contain the password/hash, otherwise where's the actual security from any machine requesting a ticket?



  • Note that it's the Authentication Service, not access service.

    Why wouldn't a password be capable of being a symmetric key? It just needs to be the right length. Since Kerberos doesn't require users passwords to be a certain length what actually happens is the password is passed through a key derivation function (KDF). This output is considered the user long term credential. Both the client and AS need to know this long term credential.

    What happens is the client sends the AS-REQ and the AS responds saying the user needs to do pre-auth. The client will resend the original request, but then the client will encrypt the current time to the long term credential and stick it in the pa-data list. This is the partial encryption bit. Only the timestamp is encrypted where the rest of the message is cleartext.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2