Kerberos & Symmetric Encryption: Why?

TL;DR

Kerberos uses symmetric cryptography because it’s much faster than asymmetric cryptography for the frequent encryption/decryption operations needed during authentication. While slower, asymmetric crypto is used initially to securely share the symmetric keys.

Why Kerberos Uses Symmetric Cryptography

Kerberos relies heavily on symmetric key cryptography, but also uses asymmetric cryptography in a crucial initial step. Here’s why this combination works and why symmetric encryption is so important within the protocol:

1. Speed: Kerberos involves lots of encrypting and decrypting – think about every time you access a network resource. Symmetric algorithms (like AES) are significantly faster than asymmetric ones (like RSA). Using asymmetric crypto for *every* operation would create a huge performance bottleneck.
   • Asymmetric encryption is computationally expensive, requiring more processing power.
   • Symmetric encryption allows Kerberos to authenticate users quickly and efficiently.
2. Initial Key Exchange: Asymmetric cryptography *is* used during the initial authentication process to securely share a symmetric session key.
   • When you first log in, your computer contacts the Kerberos Key Distribution Centre (KDC).
   • The KDC uses its private key to encrypt a session key specifically for your computer. Your computer decrypts this with its public key.
   • This securely establishes a shared secret – the symmetric session key.
3. Ticket Granting Ticket (TGT): The TGT itself is encrypted using the KDC’s long-term symmetric key.
   • The TGT proves your identity to other services without constantly contacting the KDC.
   • Encrypting it with a symmetric key keeps this process fast and secure.
4. Data Confidentiality: Once you have a session key, all further communication with network services is encrypted using that symmetric key.
   • This protects your data from eavesdropping.
   • The speed of symmetric encryption makes this practical for continuous data protection.

A Simple Example

Imagine Alice wants to talk to Bob securely.

1. Key Exchange (Asymmetric): Alice and Bob exchange public keys. Bob encrypts a secret key using Alice’s public key, and sends it to her. Only Alice can decrypt this with her private key.

   # This is conceptual - not actual Kerberos commands

2. Secure Communication (Symmetric): Now that Alice has the secret key, they both use it for fast symmetric encryption/decryption of all their messages.

   # Again, conceptual example only

Practical Considerations

• Key Length: The strength of Kerberos relies on strong symmetric key lengths (e.g., AES-256).
• KDC Security: Protecting the KDC is paramount, as it holds the keys to the entire system.
• Clock Synchronization: Kerberos requires accurate time synchronization between clients and servers. Use NTP (Network Time Protocol) to ensure this.

  ntpdate -q