idea
Kerberos is a way to manage authentication and authorization using symmetric encryption, without key exchange (so no public key).
The general concept is to use a trusted third party to handle key management: the Kerberos Domain Controller. Each client in the network has a common key with the KDC used to secure communication, access to resources is granted by by a unique key (ticket) obtained from the KDC.
graph TD
A --> KDC[Kerberos Domain Controller]
B --> KDC
C --> KDC
D --> KDC
KDC has two components: authentication server (S), and ticket granting server (T, or TGS).
Protocol goes is to authenticate and request access to some TGS. Authentication is a key $K_{AS}$ derived from the password. Reply from authentication server is encrypted with $K_{AS}$ and contains a temporary key $K_{AT}$ to authorize communication with the TGS, some lifetime information $LT$, plus a "ticket granting ticket" $TGT$ which allows to get more key in the future, itself encrypted with $K_{ST}$ which is a common key between the authentication and ticket granting server, unreadable by client.
graph LR
A(["A Client"])
A -- "1. Kas(Password, TGS)" --> S
S -- "2. Kas(Kat, LT) <br/>and TGT=Kst(Kat, LT)" --> A
subgraph KDC
S["Authentication Server"]
T["Ticket Granting Server"]
end
When the client A requires access to a resource B, it sends a message to the Ticket Granting Server with the access request encrypted by $K_{AT}$, alongside the $TGT$.
The TGS validates authorization, and returns $K_{AB}$ to encrypt communication, and a ticket encrypted with $K_{BT}$ to the client, which is a key known only to B and the TGS.
graph LR
A(["A Client"])
A -- "1. Kat(B) <br/>and TGT=Kst(Kat, LT)" --> T
T -- "2. Validates authorization" --> T
T -- "3. Kab(LT) <br/>and Kbt(LT)" --> A
subgraph KDC
S["Authentication Server"]
T["Ticket Granting Server"]
end
Then the client can communicate to the resource by using $K_{AB}$ and the ticket encrypted with $K_{BT}$. The server validates that the ticket is correct and grants the request, since it is encrypted with a key that could be obtained only if authorization was successful.
graph LR
A(["A Client"])
B(["B Server"])
A -- "Kab(request) <br/>and Ticket=Kbt(LT)" --> B
notes
Kerberos is named after a mythological three headed dog.