# Kerberos (Port 88)

### What is Kerberos?

***

You want to connect to an application over an insecure network but youre a bit paranoid, thinking someone maybe listening. So is there a solution or any protocol that is designed to provide secure authentication to over an insecure network where:

* Password are never sent across the network
* Encryption keys are never directly exchanged
* You and the application can mutually authenticate each other
* Can work as the basis of single sign-on

SIngle sign-on?

Imagine you walk into the office, sit at your computer, provide your credentials to log in and suddenly you have access to your email, the file server, the internal services, etc. all without logging into each one seperately. This is what SSO or single sign-on does. You use your credentials one time and SSO use those creds to log in to every authenticable application so you wont need to log in them seperately using the same creds.

So a protocol that can provide all of this. that is Kerberos.

Kerberos is an authentication protocol that runs on port 88 (UDP/TCP) by default for client/server applications. It is designed to provide secure authentication over an insecure network. It uses secret-key cryptography and a trusted third party (KDC) to authenticate users and services. Kerberos uses ticket instead of password to prove the identity of the user. but how? before going into deep, lets explore some componenets of kerberos.

### Kerberos Authentication Flow

***

<figure><img src="/files/LmeezSycWzJF6gwucREI" alt=""><figcaption></figcaption></figure>

This is entire flow of how kerberos authenticate the user to grant access to a service.

* The user sends an **AS-REQ** to the Authentication Server (AS) containing the username in KDC. The AS validate the username and return the response **AS-REP** with Ticket granting Ticket (TGT).
* After receiving the TGT, the user requests access to a specific service by sending a **TGS-REQ** to the Ticket Granting Server (TGS), including the TGT.
* The TGS validates the TGT and issues a Service Ticket (ST) along with a session key for communication with the service.
* The user sends the Service Ticket (ST) to the target service.
* The service validates the ticket using its secret key and grants access if valid.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kaizoku.gitbook.io/notes/protocols/kerberos-port-88.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.