why kerberos needs TGT?

Question

I am learning the design of KDC, and find the protocol needs 3 rounds of info exchange. But I think the step of TGT is duplicate and unnecessary, for the KDC can just send the ticket in the 1st round. So why is the design of the second round? What is the use of exchange of TGT?

Answer 1

It's not unnecessary. It's there as a long term optimization.

With Kerberos you have the two flows between the KDC and client:

• AS-REQ: Exchanges a human supplied credential into a ticket (e.g. password, certificate, etc.).
• TGS-REQ Exchanges a KDC-supplied ticket for another ticket.

The AS-REQ can request any ticket it wants. In practice it only requests krbtgt. The AS-REQ is designed to evaluate the used credential, look up the identity in the backing directory, apply any policy, and whatever else the KDC thinks is actually an expensive operation. Credential verification/derivation/etc. can be an expensive operation. Querying the directory for things like (say in Active Directory's case) group membership is incredibly expensive. This is expensive for the client because it's most likely always doing key derivation, and it's expensive for the KDC because it's always going to query the directory.

If you ask for krbtgt you unlock access to the TGS-REQ flow.

The TGS-REQ flow verifies the krbtgt, looks up the requested service in the directory, and copies the internal contents of the krbtgt ticket into the requested service ticket. That is orders of magnitude faster because it skips most of the stuff that happened in AS-REQ flow. It does still query the directory, but that's cheap compared to everything else. The client doesn't do any key derivation now.

More importantly now you don't need to keep the long term credential in memory anymore because you have the TGT.