1. Bryant, B., T. Ts’o, Designing an Authentication System: a Dialogue in Four Scenes. MIT, 1988, 1997. A dramatic introduction to Kerberos. Only those who love reading plays will have the patience to pore over this document, but it is as entertaining a treatment of this subject as one is likely to find.
  2. Carlson, Fred R., and John McEachen, Opnet Performance Simulation of the Kerberos Protocol in a Single Ticket Granting Server (TGS) Network, presented at the Opnetwork conference, 1999. 
  3. Garfinkel, Simson and Gene Spafford. Web Security & Commerce, O’Reilly and Associates, Inc., 1997. For those familiar with the O’Reilly reference series, this text has a shark on the cover. Chapters 10 ff. offer excellent insights and comparisons between Kerberos and competing protocols. 
  4. Kerberos FAQ A plethora of information here is handy for specific questions.
  5. Kerberos Papers and Documentation web site contains a short but useful set of citations and references to information about Kerberos and related systems.It is an excellent starting point for research.Several of the references are reproduced as separate entries here.
  1. Kerberos Open Sources
  2. Kohl, John T. and B. Clifford Neuman. and Theodore Y. T'so, “The Evolution of the Kerberos Authentication System”. In Distributed Open Systems, pages 78-94. IEEE Computer Society Press, 1994.
  1. Kohl, John T. and B. Clifford Neuman. The Kerberos Network Authentication Service (Version 5). Internet Request for Comments RFC-1510. September 1993. Lengthy, but full of technical details and a robust glossary.
  2. Limitations of the Kerberos Authentication System, in USENIX Conference Proceedings, pp. 253--267, Winter 1991.
  3. Needham & Schroeder, “Authentication Revisited,” Operating Systems Rev. vol. 21, p. 7, Jan. 1987. 
  4. Oppliger, Rolf, Authentication Systems for Secure Networks, Artech House, 1996. Perhaps the best single text to serve as an entrée to this topic. Chapter 2 is concise, accessible, and fairly comprehensive.
  5. M. A. Sirbu, J. C-I Chuang. Distributed Authentication in Kerberos Using Public Key Cryptography, Carnegie Mellon University, Pittsburgh, PA,
  6. Tanenbaum, Andrew S. Computer Networks, 3rd Ed, Prentice Hall, 1996. Tanenbaum’s coverage of Kerberos is extremely brief, and focuses on Version 4. For more comprehensive coverage, and discussion of version 5, see Oppliger. 
  7. Tung, B. The Moron’s Guide to Kerberos, Version 1.2.2,
  8. Tung, B. Kerberos: A Network Authentication System. Addison-Wesley, Reading, MA, 1999.

Glossary of Terms (from RFC 1510 [6])

      Verifying the claimed identity of a principal.
Authentication header
      A record containing a Ticket and an Authenticator to be presented to a server as part of the authentication process.
Authentication path  
      A sequence of intermediate realms transited in the authentication process when communicating from one realm to another.
      A record containing information that can be shown to have been recently generated using the session key known only by the client and server.
      The process of determining whether a client may use a service, which objects the client is allowed to access, and the type of access allowed for each.
      A token that grants the bearer permission to access an object or service.  In Kerberos, this might be a ticket whose use is restricted by the contents of the authorization data field, but which lists no network addresses, together with the session key necessary to use the ticket.
      The output of an encryption function.  Encryption transforms plaintext into ciphertext.
      A process that makes use of a network service on behalf of a user.  Note that in some cases a Server may itself be a client of some other server (e.g., a print server may be a client of a file server).
      A ticket plus the secret session key necessary to successfully use that ticket in an authentication exchange.
      Key Distribution Center, a network service that supplies tickets and temporary session keys; or an instance of that service or the host on which it runs.  The KDC services both initial ticket and ticket-granting ticket requests.  The initial ticket portion is sometimes referred to as the Authentication Server (or service).  The ticket-granting ticket portion is sometimes referred to as the ticket-granting server (or service).
      Aside from the 3-headed dog guarding Hades, the name given to project Athena's authentication service, the protocol used by that service, or the code used to implement the authentication service.
Nonce (entry added by author)
      A nonce is a unique instantiation of a cryptographic element.  In the context of authentication processes, a nonce is a temporary key.  For Kerberos, the term nonce refers to the session key.  
      The input to an encryption function or the output of a decryption function.  Decryption transforms ciphertext into plaintext.
      A uniquely named client or server instance that participates in a network communication.
Principal identifier
      The name used to uniquely identify each different principal.
Realm (entry added by author)
      Analogous to the more familiar network administration domain, a Kerberos realm is a domain of network operations with a unique identifying name.  By convention, the Kerberos realm is written in all capitals, e.g. ATHENA.MIT.EDU.               
      To encipher a record containing several fields in such a way that the fields cannot be individually replaced without either knowledge of the encryption key or leaving evidence of tampering.
Secret key
      An encryption key shared by a principal and the KDC, distributed outside the bounds of the system, with a long lifetime.  In the case of a human user's principal, the secret key is derived from a password.
      A particular Principal, which provides a resource to network clients.  [Note that the KDC, in providing authentication and ticket services, acts as both a Principal and a Server.]
      A resource provided to network clients, often provided by more than one server, for example, remote file service.
Session key

A temporary encryption key used between two principals, with a lifetime limited to the duration of a single login "session".
Sub-session key
      A temporary encryption key used between two principals, selected and exchanged by the principals using the session key, and with a lifetime limited to the duration of a single association.
      A record that helps a client authenticate itself to a server; it contains the client's identity, a session key, a timestamp, and other information, all sealed using the server's secret key.  It only serves to authenticate a client when presented along with a fresh Authenticator.

[1] Though an unofficial source of information about Kerberos, this FAQ document offers generally accurate and current information about the Kerberos protocol.The author is Ken Hornstein.
[2] Garfinkel and Spafford, page 218.See bibliographic entries for publication data.This is an excellent text with a particularly useful comparison of encryption systems in use on the Internet.
[3] for a copy of the Internet Request For Comments, RFC-1510, dated September 1993.
[4] This web site offers a history of MIT’s Project Athena.
[5] Oppliger, page 29.Chapter 2 (29-62) offers the most concise, accessible, and objective explanation of the Kerberos protocol that I have found.I highly commend it as a starting point for those interested in researching this topic further.
[6] See Needham and Schroeder.“Authentication Revisited,” Operating Systems Rev. vol. 21, p. 7, Jan. 1987.
[7] is a site to obtain the latest information on versions of the protocol.
[8] to download the current version.Check the MIT site listed above if the link does not work, as version updates may invalidate this address.
[9] Kerberos terminology should be readily accessible to those with a fundamental grasp of networks.A few terms are defined and used outside of conventional use, but the exceptions are few and not too bothersome.
[10] Though the AS and TGS processes can be run on separate computers, both require physical security and administrative management, so combining both functions on one computers is not only reasonable, but resource-efficient.See Oppliger, pp. 32-3.
[11] This figure reproduced from Figure 1.3, Oppliger, page 22.
[12] The Tanenbaum diagram is in this report specifically at Professor Blum’s request.The diagram is useful conceptually, showing the three-way handshake and separation of the AS, TGS, and server.Tanenbaum’s use of terminology is rather confusing however.For example, he uses the term “session key” to refer to both the fixed key returned by the AS as well as the nonce delivered by the TGS.For an alternative presentation, see Oppliger.
[13] Remember that “client” here refers to the process carried out by Kerberos-implementing software.The user is the human being who logs in to the client.The client acts upon input from the user to initiate the authentication process to the AS.
[14] The dotted line for step 6 in Figure 3 is Oppliger’s way of showing that the client may not require the mutual authentication completed by the server responding to the client.
[15] Oppliger, 31.Throughout the entire terminology section, I quote and paraphrase chapter 2, since Oppliger’s presentation is exceptionally lucid.
[16] For a detailed discussion of queuing delays and Kerberos authentication process modeling, see Carlson and McEachen.
[17] See Garfinkel and Spafford, chapter 11, for a tabular comparison of encryption systems and competing authentication protocols.
[18] See Carlson and McEachen.I owe a debt of thanks to Captain Fred (Randy) Carlson for his helpful comments and excellent analysis of the Kerberos protocol via OPNET modeling.His paper demonstrates the viability of the Kerberos protocol as an efficient method to implement secure service requests.Per discussion with Randy, I noted that his model does not include the queue time for the authentication server function in Step 2; however, this omission does not detract from the conclusion that Kerberos encryption overhead has minimal impact on throughput delays in small, modest networks.