Kerberos vs. PKI


Authenticating users over the network services via insecure protocol proven to be a dangerous task, and as such transferring passwords over a network via traditional Telnet protocol or FTP can expose any organization to huge danger of intercepting such information that can be used against any organization to gain access, and take a full control over their networks. With a protocol such as Kerberos protocol the unsafe methods of authentication can be eliminated, and definitely enhance and ensure the network security. Kerberos is a network protocol that utilized symmetric-key cryptography to authenticate users to access the network services where the password will never be sent over the network (Dadighat, 2010).

Dadighat (2010) explained that Kerberos provides an authentication between a client and server via shared key cryptography where both client and server have access to the same key or password used to identity the client to the server. The process to authenticate the client requires the following steps:


  1. The client’s system send a system request to access the server and request the authentication service to create a ticket with client’s information along with the session information to the server. The information is verified by both the Kerberos and the client using the client’s password.
  2. Kerberos sends the ticket encrypted to the server with a password that is only known to the server and Kerberos.
  3. The server checks if the information has the correct data from Kerberos and the correct encryption to verify the identity of the user. The ticket is validated for as little as five minutes, and adding the timestamp to the ticket provides another checking point for the server to make sure the request is valid.

On the other hand public-key infrastructure (PKI) is based on a pair of keys defined uniquely to each entity where a mathematical link between the two keys are required, and each entity has its own public and private keys. The public key is published within the public domain while the private key is kept secret for each entity. With such system, the information is transmitted encrypted to the intended recipient’s public key, and each entity can decrypt such information (message) using its own private key. With such mechanism, the communications between the two entities involved only the public keys while the private key will never be transmitted or shared. Also, within the transmitted message contains a small coded file appended within the message that represents the digital certificate, and the public key is used to verify the digital signature of the signer. Once the checking process is complete, the recipient is assured that the message never been modified since the signature was processed (Gavras, 2001).

Gavras (2001) explained that PKI represent a framework of a variety of policies and components that can achieve four principal security functions:


  • Confidentiality – Where such security mechanism keeps an exchange of information private.
  • Integrity – Where such security mechanism proves that the information exchanged between entities were not manipulated during the transaction of such information.
  • Authentication –through such security mechanism the identity of an entity engaged in the transaction of the information are proved.
  • No rejection (abandon) – where such mechanism ensure that the entity engage in the transaction can not deny participation in such transaction.

Kerberos vs. PKI

Kouril and Prochazka (2006) explained that the main secure architectures that can be implemented within any organization to secure the network interactions are Kerberos or Public Key Infrastructure (PKI). The following table illustrate the key difference between Kerberos and PKI:




Represents Symmetric Cryptography. Represents Asymmetric Cryptography.
Tickets are used to authentication users, and the tickets are issues via online Key Distribution Center (KDC). With such architecture, each user has a pair of key, private key and public key. Where public key is published to users, the private key is kept secret. Private key is used to generate a digital signature, while the public key is used to verify such signature.
Password is required to authenticate users. Private Key is used to authenticate users. The private key is stored on disk, and maintain by users.
The Key Distribution Center (KDC) must register every user to able to have access to the network. Pre-registration is not required in this case.

Pros and Cons


  • Kerberos implementation within any network infrastructure doesn’t violate any patents and it can be used for free. Also, the protocol is open standards and developed openly to the public to review and implement (Casima, 2010).
  • Kerberos is an open architecture mechanism that any authentication technology can be added to such architecture (e.g. the algorithm of the smartcard). What will be required in such case is to modify the KDC and its ticket-acquiring model for the client to implement the new authentication (Casima, 2010).
  • Kerberos architecture represents a single point attack via the implementation of KDC, and also represents a bottleneck when it comes to the network performance (Kouril and Prochazka, 2006).
  • Kerberos protocol doesn’t need the client’s password to be sent over the network either encrypted or in plaintext where secret keys are transmitted in an encryption that can’t be intercepted and in a circumstance that the network is being compromised, it’s impossible for the attackers to interpret the content of network communication (Aldinger, 2010).
  • In Kerberos architecture, the mutual authentication on both parities (client & Server) has to be verified, also the tickets have to be passed between the client and the server and vice versa, a timestamp, and a lifetime information is passed between parties to limit the authentication between them, and it’s low enough to ensure that the replay attack will never occur (Aldinger, 2010).
  • Kerberos provides reusability and durability. Once the user has been authenticated using the protocol, such authentication is reusable for the lifetime of the ticket (Aldinger, 2010).  
  • With popularity and the wide spread of  such protocol like Kerberos, that are maintained by top developers around the world, any new weakness or security breaches can be quickly identified and solved immediately (Aldinger, 2010).  
  • PKI cryptography provides a hug security implementation where private keys never needed to be transmitted or revealed online.
  • PKI cryptography doesn’t implement a secret-key systems that requires sharing a secret and requires a third party as well, instead it provides a digital signature, and as such; the possibility of reject authentication from a party claiming for some reason the shared secret has been compromised doesn’t exist in this case. 
  • PKI cryptography imposes a speed problem, and also can be subjected to vulnerability such as impersonation where the attack can occur on a certification authority (Kouril and Prochazka, 2006).
  • It is possible to plug in other technology with PKI to be implemented along the digital certification such as SSL, Strong authentication (Kopczynski, 2008). 

Key Distribution Mechanism Selection

System News (2002) explained that Kerberos architecture is designed to securing interactions across open network (insecure network) where the Key Distribution Center (KDC) acts as a trust hub that required establishing mutual authentication between two parties and  a secret key embedded in messages (Ticket) to identify the sender; is assigned to each user requested the logging into the network. On the other hand, PKI supports a secure network communication between two parties via a combination of public and private keys. With such mechanism, the need of a central hub is eliminated.

Kerberos architecture required an ongoing administration of a central Key Distribution Center (KDC), and as such; prevents Kerberos from scaling beyond the Intranet, and the administrative burden required for the KDC. Also, such architecture will be a big hurdle for any organization that required to expanding its network infrastructure, and cross distributed networks, and as such it’s a weak choice for network identity implementation, since the scalability is really limited and it’s based on KDC which represents a single point for hackers to attack, and also represents a bottleneck that can create a performance issues.  On the other hand PKI implements a public accessible repository certificates that can be accessible to the pubic, and as such; eliminates the risk of being a single point of attacks, and also avoid being a bottleneck of any network. For this reasons, PKI is very suitable to peer-to-peer distributed computing networks, and multi-platform (System News, 2002).

One important fact about PKI is that it offers is the non-repudiation (non-rejection) which prevents parties from denying involvement in the online transaction, and also supports the digital signature and message encryption that further enhance the security elements within any network. Finally, PKI also supports cross-certification, and as such; identity can be enabled in integration among circles of trust (System News, 2002). 


Abdullah (2010) explained that Kerberos is a protocol designed to create authentication over the insecure network where it is based on a client-server agreement model. Kerberos mechanism identifies procedures that employ the secure communication between two nodes (Computers). Kerberos provides two third-party servers to authenticate and identify clients to the server. The first server is called Authentication Server (AS) while the other server is called Ticket Granting Server (TGS). These two servers are includes as a logical parts of the network which monitors the authentication processes over the communication session.

Abdullah (2010) also explained that to process any authentication from the client to the server within the Kerberos mechanism the following steps have to occur in the following sequence:


  1. The client provides details to the authentication server (AS) to receive an authentication ticket which serves as its identity.
  2. The ticket is submitted to the ticket granting server (TGS) which provides another ticket upon the approval to be used to provide services from network server, and the communication session will be initiated accordingly.

The choice of implementing security architecture is really depends on the organization needs, if the infrastructure of such organization required an increase a cross a highly distributed networks, so Kerberos doesn’t have such scalability to be implemented in such organization. PKI will be a better feature of security that can be implemented within the organization. Finally, both Kerberos and PKI offers huge benefits to any organization security, the choice of adopting either one will be totally up to the expansion plan required for such organization. 


Abdullah, S. (2010) An Introduction to Kerberos [Online]. Available from: (Accessed: 20 November 2010).

Aldinger, T. (2010) What Are the Advantage of Kerberos? [Online]. Available from: (Accessed: 20 November 2010).

Casima, R. (2010) What Ate the Benefits of Kerberos [Online]. Available from: (Accessed: 20 November 2010).

Dadighat, U. (2010) Basic of Kerberos [Online]. Available from: (Accessed: 20 November 2010).

Gavras, A. (2001) What is PKI and how does it work [Online]. Available from: 20 November 2010).

Kouril, D. & Prochazka, M. (2006) Kerberos and PKI Cooperation [Online]. Available from: (Accessed: 20 November 2010).

Kopczynski, T. (2008) The benefits of PKI [Online]. Available from: (Accessed: 20 November 2010).

System News (2002) Security of Network Identity: Kerberos or PKI [Online]. Available from: (Accessed: 20 November 2010).





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: