Complete Kerberos authentication protocol implementation with hybrid encryption (RSA 2048-bit + AES 256-bit) and JavaFX GUI
Features • Installation • Usage • Architecture • Documentation
- Overview
- Features
- Kerberos Architecture
- Installation
- Quick Start
- Technical Documentation
- Project Structure
- Academic Context
- Security Analysis
- Contributing
- License
- Author
This project implements a complete Kerberos authentication system with a modern twist - hybrid encryption combining RSA and AES. Unlike traditional Kerberos which uses symmetric encryption only, this implementation leverages both asymmetric (RSA) and symmetric (AES) cryptography for enhanced security.
Kerberos is a network authentication protocol developed at MIT that uses tickets to allow nodes to prove their identity over a non-secure network. It's widely used in enterprise environments (e.g., Microsoft Active Directory).
Key Concepts:
- 🎫 Ticket-Based Authentication - No password transmission over network
- 🔐 Mutual Authentication - Both client and server verify each other
- 🎟️ Single Sign-On (SSO) - One login for multiple services
- ⏱️ Time-Limited Tickets - Tickets expire after 5 minutes
- 🔑 Trusted Third Party - KDC acts as authentication authority
Our hybrid approach combines:
- RSA 2048-bit for secure key distribution
- AES 256-bit for efficient data encryption
- JavaFX GUI for user-friendly interaction
- CSV-based Database for user management
- Comprehensive Logging for audit trails
Real-World Comparison: This is similar to how Active Directory authenticates users in Windows domains!
- ✅ Kerberos Protocol Implementation - Complete AS, TGS, SS workflow
- ✅ Hybrid Encryption - RSA 2048-bit + AES 256-bit
- ✅ Ticket-Based Authentication - TGT and Service Tickets
- ✅ Time-Limited Sessions - 5-minute ticket expiration
- ✅ Mutual Authentication - Client ↔ Server verification
- ✅ Key Distribution Center (KDC) - Centralized authentication authority
- ✅ Session Key Generation - Unique AES keys per session
- ✅ JavaFX GUI - Modern graphical interface
- ✅ User Registration - Client and server registration
- ✅ Login System - Password-based authentication
- ✅ Secure Messaging - Encrypted client-server communication
- ✅ Comprehensive Logging - Detailed audit trail (Log.txt)
- ✅ CSV Database - User credentials storage (Dataset.csv)
- ✅ Real-Time Feedback - GUI log display
- ✅ RSA Key Pair Generation - 2048-bit asymmetric encryption
- ✅ AES Session Keys - 256-bit symmetric encryption
- ✅ Encrypted Tickets - Secure ticket transmission
- ✅ Timestamp Verification - Prevents replay attacks
- ✅ Public Key Infrastructure - PKI-like key management
- ✅ Password-Based Authentication - Secure credential verification
┌──────────────────────────────────────────────────────────────────┐
│ Hybrid Kerberos Authentication System │
└──────────────────────────────────────────────────────────────────┘
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ CLIENT │────────▶│ KDC │◀────────│ SERVER │
│ │ │ (Key Dist. │ │ │
│ - User ID │ │ Center) │ │ - Server ID │
│ - Password │ │ │ │ - Services │
│ - RSA Keys │ │ - AS (Auth) │ │ - RSA Keys │
│ │ │ - TGS (Ticket│ │ │
└─────────────┘ │ Granting) │ └─────────────┘
└──────────────┘
- Initiates authentication requests
- Stores user credentials
- Receives and stores tickets (TGT, Service Ticket)
- Communicates with servers using session keys
- AS (Authentication Server) - Verifies user credentials
- TGS (Ticket Granting Server) - Issues service tickets
- Manages all public/private key pairs
- Generates session keys for secure communication
- Provides services to authenticated clients
- Verifies service tickets
- Maintains list of authenticated clients
- Decrypts messages using session keys
Java 8 or higher with JavaFX supportVerify Java Installation:
java -version
# Should output: java version "1.8.0" or highergit clone https://github.com/memo-13-byte/hybrid-kerberos-system.git
cd hybrid-kerberos-system# Compile all Java files
javac -cp src src/*.java
# Or use your IDE (IntelliJ IDEA, Eclipse, NetBeans)cd src
java MainGUI will launch automatically!
In the GUI:
| Field | Value | Description |
|---|---|---|
| Client ID | alice |
Unique client identifier |
| Password | password123 |
Client password |
| Server ID | file-server |
Target server identifier |
Click "Register" button
What Happens:
- ✅ KDC generates RSA 2048-bit key pairs for client
- ✅ KDC generates RSA 2048-bit key pairs for server
- ✅ Client and Server registered in system
- ✅ Keys saved to Dataset.csv
- ✅ Confirmation in log area
In the GUI:
| Field | Value |
|---|---|
| Client ID | alice |
| Password | password123 |
| Server ID | file-server |
Click "LogIn" button
Authentication Flow:
- Client → KDC: Login request with credentials
- KDC verifies password against Dataset.csv
- KDC generates:
- TGT (Ticket Granting Ticket) - encrypted with client's key
- Session Key (Kc,tgs) - for Client-TGS communication
- Client receives TGT (valid for 5 minutes)
- ✅ Login successful!
In the GUI:
| Field | Value |
|---|---|
| Message | Hello, secure world! |
Click "Communicate with Server" button
Secure Communication:
- Client → TGS: TGT + Server ID request
- TGS verifies TGT validity
- TGS generates:
- Service Ticket - for Client-Server auth
- Session Key (Kc,s) - for Client-Server communication
- Client → Server: Service Ticket + Encrypted Message
- Server verifies ticket
- Server decrypts message using session key
- ✅ Secure communication established!
Log Output:
Client alice authenticated successfully.
TGT issued to alice.
Service ticket for file-server issued.
Message encrypted with AES: Q2hhbmdlIG1lIQ==
Server file-server decrypted message: Hello, secure world!
Responsibilities:
- Graphical user interface
- User input handling
- Event listeners for buttons
- Log display management
- File logging (Log.txt)
Key Methods:
start(Stage primaryStage) // Initialize GUI
registerButton.setOnAction() // Handle registration
loginButton.setOnAction() // Handle login
communicateButton.setOnAction() // Handle messaging
log(String message) // Write to Log.txtResponsibilities:
- Client and server registration
- RSA key pair generation (2048-bit)
- User authentication
- TGT (Ticket Granting Ticket) generation
- Service ticket issuance
- Session key generation (AES 256-bit)
Key Methods:
registerClient(String clientId, String password)
→ Generates RSA keys, stores in Dataset.csv
registerServer(String serverId)
→ Generates RSA keys for server
authenticateClient(String clientId, String password, String serverId)
→ Verifies credentials, returns true/false
generateTGT(Client client)
→ Creates encrypted Ticket Granting Ticket
generateServiceTicket(Client client, Server server)
→ Creates service ticket for client-server auth
generateSessionKey()
→ Generates 256-bit AES session keyDatabase Structure (Dataset.csv):
ClientID,Password,PrivateKey,PublicKey
alice,password123,MIIEvQIBADANBgk...,MIIBIjANBgkq...
file-server,,MIIEvgIBADANBg...,MIIBIjANBgkq...Responsibilities:
- Store client credentials (ID, password)
- Maintain TGT (Ticket Granting Ticket)
- Store service tickets
- Encrypt messages with session keys
Attributes:
private String clientId; // Unique identifier
private String password; // Authentication credential
private Ticket tgt; // Ticket Granting Ticket
private KDC kdc; // Reference to KDCKey Methods:
requestTGT() → TicketGrant
// Request TGT from KDC
requestServiceTicket(String serverId) → Ticket
// Request service ticket for specific server
encryptMessage(String message, SecretKey sessionKey) → String
// Encrypt message using AES session keyResponsibilities:
- Manage authenticated clients
- Verify service tickets
- Decrypt encrypted messages
- Maintain access control list
Attributes:
private String serverId;
private KDC kdc;
private Map<Client, Boolean> authenticatedClients;Key Methods:
addAuthenticatedClient(Client client, Boolean isAuth)
// Add client to authenticated list
verifyTicket(Ticket ticket) → Boolean
// Verify service ticket validity
decryptMessage(String encryptedMessage, SecretKey sessionKey) → String
// Decrypt client messageTicket Structure:
public class Ticket {
private String clientId; // Client identifier
private String serverId; // Server identifier
private String sessionKey; // AES session key (Base64)
private long timestamp; // Creation time
private long expirationTime; // 5 minutes validity
}Encryption:
- Ticket encrypted with server's public key (RSA)
- Client cannot read ticket contents
- Only server can decrypt with private key
TGT Structure:
public class TicketGrant {
private String clientId; // Client identifier
private String sessionKey; // Session key for Client-TGS
private long timestamp; // Creation time
private long expirationTime; // Validity period
}Encryption:
- TGT encrypted with client's password-derived key
- Contains session key for TGS communication
- Valid for 5 minutes
CLIENT KDC
│ │
├─── Register(clientId, password) ─▶│
│ ├─ Generate RSA KeyPair (2048-bit)
│ ├─ Save to Dataset.csv
│ ├─ Store in clientKeyPairs map
│ │
│◀────── Confirmation ───────────────┤
│ │
CLIENT KDC
│ │
├─── Login(clientId, password) ────▶│
│ ├─ Verify credentials (Dataset.csv)
│ ├─ Generate SessionKey (Kc,tgs)
│ ├─ Create TGT:
│ │ - clientId
│ │ - sessionKey
│ │ - timestamp
│ │ - expiration (now + 5 min)
│ ├─ Encrypt TGT with password
│ │
│◀──── {TGT, Kc,tgs} ────────────────┤
├─ Store TGT │
├─ Store Kc,tgs │
│ │
CLIENT KDC/TGS SERVER
│ │ │
├─ Request ServiceTicket(serverId) ─▶│ │
├─ Send: {TGT, serverId} │ │
│ ├─ Decrypt TGT │
│ ├─ Verify expiration │
│ ├─ Generate Session Key (Kc,s) │
│ ├─ Create Service Ticket: │
│ │ - clientId │
│ │ - serverId │
│ │ - Kc,s │
│ │ - timestamp │
│ │ - expiration │
│ ├─ Encrypt with Server's PubKey │
│ │ │
│◀── {ServiceTicket, Kc,s} ──────────┤ │
├─ Store ServiceTicket │ │
├─ Store Kc,s │ │
│ │ │
CLIENT SERVER
│ │
├─ Encrypt(message, Kc,s) ──────────▶│
├─ Send: {ServiceTicket, EncMsg} │
│ ├─ Decrypt ServiceTicket (PrivKey)
│ ├─ Extract Kc,s
│ ├─ Verify expiration
│ ├─ Decrypt message (Kc,s)
│ │
│◀──── Response ─────────────────────┤
│ │
Usage:
- Client/Server key pair generation
- Ticket encryption
- Session key distribution
Process:
// Key generation
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
KeyPair keyPair = keyGen.generateKeyPair();
// Encryption (with Public Key)
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
byte[] encrypted = cipher.doFinal(data);
// Decryption (with Private Key)
cipher.init(Cipher.DECRYPT_MODE, privateKey);
byte[] decrypted = cipher.doFinal(encrypted);Why RSA?
- ✅ Secure key distribution
- ✅ No shared secret needed
- ✅ Public keys can be freely distributed
Usage:
- Session key encryption
- Message encryption/decryption
- Fast bulk data encryption
Process:
// Key generation
SecretKey sessionKey = generateSessionKey(); // 256-bit
// Encryption
Cipher cipher = Cipher.getInstance("AES");
cipher.init(Cipher.ENCRYPT_MODE, sessionKey);
byte[] encrypted = cipher.doFinal(message.getBytes());
// Decryption
cipher.init(Cipher.DECRYPT_MODE, sessionKey);
byte[] decrypted = cipher.doFinal(encrypted);
String message = new String(decrypted);Why AES?
- ✅ Much faster than RSA
- ✅ Suitable for large messages
- ✅ Industry standard (used by NSA)
Best of Both Worlds:
┌─────────────────────────────────────────────────────────┐
│ Hybrid Encryption Architecture │
└─────────────────────────────────────────────────────────┘
PHASE 1: Key Exchange (RSA)
- Generate AES session key (256-bit)
- Encrypt session key with recipient's RSA public key
- Transmit encrypted session key
PHASE 2: Data Transmission (AES)
- Encrypt actual message with AES session key
- Transmit encrypted message
PHASE 3: Decryption (Hybrid)
- Decrypt session key with RSA private key
- Decrypt message with session key (AES)
RESULT:
✅ RSA security for key exchange
✅ AES performance for data
✅ Perfect Forward Secrecy (new key per session)
hybrid-kerberos-system/
├── src/
│ ├── Main.java # JavaFX GUI application
│ ├── KDC.java # Key Distribution Center
│ ├── Client.java # Client implementation
│ ├── Server.java # Server implementation
│ ├── Ticket.java # Service ticket structure
│ ├── TicketGrant.java # TGT structure
│ ├── Dataset.csv # User database (encrypted keys)
│ └── Log.txt # System audit log
│
├── README.md # This file
├── LICENSE # MIT License
└── .gitignore # Git ignore rules
Course: BBM 465 - Information Security Laboratory
Institution: Hacettepe University, Computer Engineering Department
Semester: Fall 2024
Group: 28
Team Members:
- Mehmet Yiğit (b2210356159)
- Mehmet Oğuz Kocadere (b2210356021)
Topics Covered:
- Kerberos authentication protocol
- Ticket-based authentication systems
- Hybrid encryption (RSA + AES)
- Public Key Infrastructure (PKI)
- Session key generation and management
- Secure client-server communication
- GUI application development (JavaFX)
- Authentication security analysis
Assignment Objectives:
- Implement Kerberos authentication protocol
- Design hybrid encryption system
- Create GUI-based authentication application
- Understand SSO (Single Sign-On) concepts
- Practice secure key management
- Analyze enterprise authentication systems
-
Ticket-Based Authentication
- Passwords never transmitted over network
- Tickets encrypted with strong encryption
- Time-limited validity (5 minutes)
-
Hybrid Encryption
- RSA 2048-bit for key exchange
- AES 256-bit for data encryption
- Industry-standard algorithms
-
Mutual Authentication
- Both client and server verified
- Prevents man-in-the-middle attacks
- Trusted third party (KDC)
-
Session Keys
- Unique key per session
- Perfect forward secrecy
- Limited exposure window
-
Centralized Key Management
- KDC controls all key pairs
- Simplified key distribution
- Single point of trust
-
Time Synchronization (Educational)
- Issue: No NTP integration
- Impact: Ticket expiration relies on local time
- Production Fix: Network Time Protocol (NTP)
- Note: Outside assignment scope
-
KDC Single Point of Failure
- Issue: If KDC down, no authentication
- Production Fix: Replicated KDC servers
- Example: Active Directory Domain Controllers
-
Password Storage (Educational)
- Issue: Plaintext passwords in CSV
- Production Fix: bcrypt/Argon2 hashing
- Example:
// Instead of: password.equals(storedPassword) // Use: BCrypt.checkpw(password, hashedPassword)
-
No Network Communication
- Issue: Single-machine simulation
- Production Fix: Network sockets, RMI, or REST API
- Note: Demonstrates protocol logic only
-
Ticket Storage
- Issue: In-memory ticket storage
- Production Fix: Encrypted persistent storage
- Example: OS credential manager, encrypted database
// 1. Password Hashing
import org.mindrot.jbcrypt.BCrypt;
String hashedPassword = BCrypt.hashpw(password, BCrypt.gensalt(12));
// 2. Time Synchronization
import java.time.Instant;
Instant.now() // Use UTC time from NTP server
// 3. Network Communication
ServerSocket serverSocket = new ServerSocket(88); // Kerberos port
Socket clientSocket = serverSocket.accept();
// 4. Persistent Storage
// Use encrypted database or key vault
import java.security.KeyStore;
// 5. Logging and Monitoring
import org.slf4j.Logger;
Logger logger = LoggerFactory.getLogger(KDC.class);
// 6. Rate Limiting
// Prevent brute force attacks
if (failedAttempts > 5) {
Thread.sleep(30000); // 30-second delay
}By studying this project, you will understand:
- Three-party authentication model
- Ticket-based authentication flow
- Single Sign-On (SSO) implementation
- TGT vs. Service Ticket differences
- RSA for key exchange
- AES for data encryption
- Performance vs. security trade-offs
- When to use symmetric vs. asymmetric
- How Active Directory works
- Centralized authentication benefits
- Key Distribution Center role
- Session management strategies
- Public/Private key pairs
- Session key generation
- Ticket encryption mechanisms
- Timestamp-based security
- javax.crypto package usage
- KeyPairGenerator implementation
- Cipher operations
- SecretKey management
- JavaFX application structure
- Event-driven programming
- User input validation
- Real-time log display
Contributions welcome! Areas for improvement:
- Add network communication (sockets/RMI)
- Implement NTP time sync
- Add password hashing (bcrypt)
- Create REST API for services
- Add ticket renewal mechanism
- Implement KDC replication
- Add audit logging to database
- Create admin interface
- Fork repository
- Create feature branch
- Implement changes
- Test thoroughly
- Submit pull request
MIT License - see LICENSE file
Mehmet Oğuz Kocadere
- 🎓 Computer Engineering Student @ Hacettepe University
- 🔒 Focus: Authentication Systems, PKI, Enterprise Security
- 📧 Email: canmehmetoguz@gmail.com
- 🌐 GitHub: @memo-13-byte
- Classical Cryptography Toolkit - Cipher implementation & cryptanalysis
- File Integrity Checker - RSA digital signatures & PKI
- Secure Flask Auth Portal - 2FA with hash chain OTP
- Hacettepe University - Computer Engineering Department
- BBM 465 Course - Information Security Laboratory
- MIT Kerberos - Original protocol design
- Microsoft Active Directory - Real-world implementation inspiration
- Kerberos Protocol (RFC 4120)
- Java Cryptography Architecture
- JavaFX Documentation
- Microsoft Active Directory
⭐ Star this repository if you found it helpful!
Made with ❤️ for enterprise authentication education