Kohl [Koh91] describes the Kerberos model as follows: ``Kerberos was developed to enable network applications to securely identify their peers. To achieve this, the initiating party (the client) conducts a three-party message exchange in order to send the contacted party (the server) an assurance of the client's identity. This assurance takes the form of a ticket, which identifies the client, and an authenticator which serves to validate the use of that ticket and prevent an intruder from replaying the same ticket to the server in a future session. A ticket is only valid for a given interval, called a lifetime. When the interval ends, the ticket expires; any later authentication exchanges would require a new ticket.''
Kerberos can be used for local logins, remote authentication, and for client/server requests. Where applicable, differences between Kerberos version 4 and Kerberos version 5 are pointed out.
Message Control Authentication can be ensured through the use of the session key between the client and server using the CBC mode of DES. Message Origin Authentication is provided through the use of the protocols verifying the General Identity Authentication.