@Sven-Richter , Thank you for the clarification... I was looking at the wrong section of the course...
The process being described in the episode involves the use of a smartcard, which can add a layer of complexity/confusion because its process occurs outside of the initial operations of the Kerberos process ...
Assume that steps 1 - 3 in/on the slide correspond to steps 1 - 3 in the listing below.
Assume that step 4 in/on the slide corresponds to step 4 in the listing below.
Let' see if the following will help to clarify:
Kerberos - ticket based authentication solution relying on symmetric encryption using AES. Provides Confidentiality and Integrity for authentication traffic end to end, protecting against replay attacks and eavesdropping.
1. Key Distribution Center (KDC) - trusted third party that provides authentication services. Maintains the secret keys for all registered entities.
2. Authentication Server (AS) - verifies and accepts/rejects tickets based on authenticity and timeliness.
3. Ticket Granting Server (TGS) - issues tickets to authorized users
The KDC's functionality overall is broken down into the AS and TGS elements. In many Kerberos implementations both KDC is implemented as a single server solution with the AS and TGS functionality provided as services running on the KDC.
Ticket - an encrypted message that provides some form or type of proof depending on what type of ticket it is. 2 types:
a. Ticket-Granting Ticket (TGT) - proof that a subject has authenticated through a KDC successfully and is authorized to request additional Service Tickets to access objects
b. Service Ticket (ST) - proof that a subject is authorized to access an object
Kerberos logon process:
1. user provides a username and password through a client
2. client sends ONLY the username to the KDC (user password is NEVER sent)
3. KDC verifies username against directory database
4. KDC generates a symmetric key to be used by the client and the KDC to communicate. It encrypts the key with a hash of the user's password. KDC also generates an encrypted time-stamped Ticket Granting Ticket (TGT).
5. KDC transmits the encrypted symmetric key and the TGT to the client
6. Client installs the TGT and uses till expires. Client also will decrypt the symmetric key from the KDC by using a hash of their password
Client attempting access to an object:
1. client sends their TGT back to the KDC along with a request to access the resource
2. KDC verifies that the TGT is valid, and that the user has proper authorization to access the resource
3. KDC generates a Service Ticket (ST) and sends it to the client
4. client sends the ST to the appropriate server hosting the resource or providing the service
5. the server verifies ST validity with the KDC
6. client is granted access to the resource
Hopefully that helps....