Home > Blog > Cyber Security Articles > What is Kerberos? Working and Authentication

What is Kerberos? Working and Authentication

What is Kerberos? Working and Authentication

As per Forbes, 34.5% of the executives polled last year said that cyber adversaries attacked their organization’s accounting and financial information. It is however shocking that from this group, 22% experienced one or more cyber incidents while 12.5% were hit several times. These figures underscore how insecure financial systems are to cyber threats.

Table of Contents

What Is Kerberos?

Kerberos is a computer network security authentication protocol that authorizes service requests between trusted hosts on the untrusted network and the internet through a key-ticket system. It was created by the Massachusetts Institute of Technology (MIT) in 1987 for the project Athena. The name Kerberos originated from the Greek mythology name “Cerberus,” meaning a three-headed dog who guarded the gates of Hades. 

Kerberos can be defined as:

  1. Centralized authentication system
  2. Verifies user access rights
  3. Issue tickets for accessing the resources

Kerberos Objects

In Kerberos, the key objects are the Principals, Key Distribution Center (KDC), Authentication Server (AS),  Ticket Granting Server (TGS), Service Tickets, Keytaba, and Realms. With the use of these objects, Kerberos can authenticate the requests and provide a secure authentication pass to websites and users. They ensure safe authentication along with the access controls required within the network environment.

Key Kerberos Components and Architecture

The Kerberos authentication system is built on a set of important parts that work together to securely verify users and give them access to network services. Let’s break down each key component and architecture one by one:

1. Client (User or Device)

The client is the user or device that wants to access something on the network—like a file server or database. To do this, the client starts the login process and talks to the Kerberos server to get special access tickets. These tickets prove the user is who they say they are.

2. Authentication Server (AS)

The Authentication Server is the first stop in the Kerberos process. When the user logs in, the AS checks their username and password. If everything is correct, it gives the client a special ticket called a Ticket Granting Ticket (TGT). This TGT lets the user ask for other tickets without typing in their password again.

3. Ticket Granting Server (TGS)

The Ticket Granting Server gives users tickets to access services. The client sends the TGT to the TGS and asks for a Service Ticket. If the TGT is valid, the TGS sends back a ticket for the specific service the user wants to use.

4. Key Distribution Center (KDC)

The Key Distribution Center, or KDC, is the main brain of the Kerberos system. It combines both the AS and TGS. The KDC stores secret keys and handles all requests for tickets. Every Kerberos realm (a network domain) has its own KDC.

5. Principals (Identities)

A Principal is just a name for any user, computer, or service in the Kerberos system.

For example, a user might be [email protected], or a web service might be:

http://[email protected].

6. Realm

A Realm is a Kerberos version of a domain—like a big network area where the same rules and KDC apply. Every user, service, and computer belongs to a Kerberos realm.

7. Service

A Service is anything the user wants to access—like a printer, email system, or shared folder. Each service has its own principal, and users must show a valid Kerberos ticket to get access.

8. Ticket

A Ticket is an encrypted file that proves the user’s identity. It includes the username, service info, time stamps, and a secret session key. Kerberos tickets are time-limited to reduce security risks.

9. Keytab File

A Keytab is a file that stores long-term secret keys for services. It’s used instead of typing passwords. This helps automate logins for background services or servers that need to authenticate without human help.

10. Session Key

A Session Key is a temporary key that’s created when a ticket is given out. It helps encrypt the messages between the client and the service. That way, even if someone intercepts the messages, they won’t be able to read them.

11. Encryption Types

Kerberos uses strong encryption to protect your identity and data. Some common encryption types include:

Working of Kerberos

Kerberos is a network authentication protocol that uses symmetric-key cryptography to authenticate users and services without transmitting passwords over the network. Let’s have a look at the steps:

  1. Initialization: The Kerberos system starts by configuring the Key Distribution Centre (KDC); each user and Kerberos authentication are already registered at KDC. KDC assigns a unique key, which is only visible to itself.
  2. Authentication Request: For the authentication, the user first responds with plain text to the Authentication Server, which then identifies and generates the Ticket Granting Ticket (TGT) with a symmetric key.
  3. Ticket Granting: After successful authentication, the AS forwards the encrypted TGT to the user. TGTs serve as request service tickets without the need for the ticket to re-authenticate.
  4. Service Ticket Request: For accessing a specific service, the user requests the TGS along with the TGT; the service is included in the service requested by the user.
  5. Service Ticket Generation: Ticket Generating Service (TGS) verifies the TGT provided by the user and, if valid, issues a Service Ticket (ST) for the demanded service.
  6. Service Ticket Presentation: The user represents the ST it wants to access, and the service is decrypted by the ST using the secret key shared with TGS, which verifies the user’s identity and Timestamp.
  7. Session Establishment: After successful validation by ST, it establishes the session with the user. The session key in ST is used for encrypting communication between the user and the service during the session.
  8. Ticket Expiration and Renewal: Kerberos tickets, along with TGTs and STs, have a limited validity period to prevent replay attacks. A request by a user can be made to renew a service through KDC.

Usage of Kerberos

As a network security protocol, Kerberos is utilized in security systems requiring reliable authentication and auditing features such as POSIX authentication, Active Directory, NFS, and Samba. Some usages are:

1. Single Sign On (SSO)

It is commonly used in business settings with Microsoft Active Directory. Users log in using their domain credentials and once authenticated through the Kerberos protocol, they can access network resources like shared folders, printers, and applications without having to re-enter their login details. This smooth access is made possible by the Kerberos Single Sign-On feature.

2. Network Authentication

For accessing shared folders within a Windows domain, the user’s computer sends a Network authentication request to the Key Distribution Center (KDC) via Kerberos. Following authentication, the KDC issues a ticket that the user then presents to the file server for access. The file server validates this ticket with the KDC before granting entry to the shared folder.

3. Mutual Authentication

It plays a role when a client application connects to a database server using Kerberos for authentication. As part of establishing this connection, both the client and server authenticate each other through Kerberos. This mutual verification ensures trust between both parties, safeguarding against access and data breaches.

4. Access Control Enforcement

In a Unix-based environment utilization of Kerberos for authentication is considered when a user is trying to access a file on a server. The server cross-checks the user’s ticket to confirm their identity and permissions. When the ticket contains data, the server decides whether to permit or reject entry to the file based on access control rules.

5. Authentication for Protocols

It involves enhancing access via SSH. Depending on username and password verification, SSH can be set up to utilize Kerberos tickets for authenticating and add an extra level of protection against brute force attacks and password interception.

Features of the Kerberos Authentication Protocol 

  • Kerberos authentication streamlines access control by serving as an authentication server for a network, making it easier to manage user access rights and security policies.
  • This setup removes the need for individual services to handle authentication, ensuring consistent access control network-wide.
  • It issues time-limited tickets, usually lasting from hours to days, which narrows the window for attacks. Users must re-authenticate with Kerberos to get tickets once they expire, ensuring access control.
  • Kerberos facilitates mutual authentication between users and network services. Both parties confirm each other’s identities, preventing entry and impersonation attempts.
  • After being verified, users can reach network resources without entering credentials, boosting efficiency while upholding security standards.
  • Kerberos employs security measures such as encryption to safeguard data like passwords and keys from being transmitted in plain text. 
  • By using algorithms and secure protocols, it thwarts eavesdropping and tampering efforts, establishing a security framework for network authentication and access control.

Advantages of Kerberos Authentication

Kerberos authentication protocol provides the users with centralized access control, controlled ticket lifetimes, mutual authentication, reusable authentication, and strong security measures. 

  1. Enhanced Access Control: Kerberos streamlines user logins and enforces security policies, making access control management more straightforward.
  1. Time Limited Key Tickets: Each Kerberos ticket includes a timestamp and expiration date, empowering administrators to regulate authentication duration.
  1. Mutual Authentication: Users and service systems authenticate, bolstering security measures.
  1. Reusable Authentication: With Kerberos, users can enjoy long-lasting authentication without the need for logins as long as the ticket remains valid.
  1. Robust Security Protocols: Kerberos implements security protocols like cryptography, multiple secret keys, and third-party authorization. Passwords are securely encrypted without transmission over networks.

EPGC in Cyber Security and Ethical Hacking

Kerberos Protocol Flow

The flow of Kerberos consists of client verification, ticket generation, requests through the service, ticket grants, accessing the services, and the establishment of a session key.

1. Request for Client Verification:

  • Starts the process by asking for a Ticket Granting Ticket (TGT) from the Authentication Server (AS).
  • Includes the client’s username in the request.

2. TGT Issued by AS:

  • AS confirms the client’s identity. Provides a TGT encrypted with a session key generated from the client’s password.
  • The TGT acts as authentication for the client.

3. Request for Service Ticket:

  • The client asks the Ticket Granting Server (TGS) for a service ticket to access a network service.
  • This request includes the TGT received from AS and details of the desired service.

4. Service Ticket Granted by TGS:

  • TGS validates the TGT and permits access to the service.
  • A service ticket is encrypted with a session key shared with the target service.

5. Accessing Services:

  • The client submits the service ticket to gain entry to the desired service.
  • The target service decrypts this ticket using their shared session key to confirm identity.

Upon verification, the client is granted access to that service.

6. Establishing Session Key:

  • While accessing services, both the client and server establish a session key for communication.
  • This session key is used to encrypt and decrypt messages exchanged between them during interaction. Upon finishing or when the session expires, the session key becomes unusable. To continue with sessions and uphold security measures, re-authentication is necessary to deter access.

Kerberos vs. Other Networks

1. Comparison between Kerberos and Lightweight Directory Access Protocol (LDAP):

  • For authentication, Kerberos focuses on using tickets to authorize access to network services. It relies on a Key Distribution Center (KDC) for issuing tickets.
  • LDAP serves as a protocol for managing directory services like Active Directory. Its main role is to store and organize information related to network resources, such as user accounts, rather than focusing on authentication.

2. Contrast between Kerberos and Remote Authentication Dial-in User Service (RADIUS):

  • Providing authentication for hosts over insecure networks like the internet is where Kerberos shines. It employs tickets, and it is dependent on symmetric key cryptography for communications.
  • RADIUS functions as a networking protocol that centrally manages authentication, authorization, and accounting (AAA) for users accessing network services. It is commonly employed in scenarios involving access, like dial-up or VPN connections.

3. Differences between Kerberos and Microsoft NT LAN Manager (NTLM):

  • As the default authentication protocol in Windows systems starting from Windows 2000 onwards, Kerberos offers features such as authentication and encrypted communication.
  • NTLM, an authentication protocol before Kerberos in Windows environments, is responsible for employing challenge-response mechanisms. It is deemed more secure than Kerberos.
FeatureKerberos Authentication ProtocolLDAP ProtocolRADIUS ProtocolNTLM Protocol
Primary UseSecure login system using ticketsDirectory service managementAuthentication over network accessLegacy Windows authentication
Authentication MethodTicket-based, uses Key Distribution Center (KDC)Not mainly for authenticationUsername/password-based with AAAChallenge-response
Security MechanismSymmetric key encryptionStores user data, not highly secureSupports encryption but not as strong as KerberosLess secure than Kerberos
Mutual AuthenticationYes – both client and server verify each otherNoOptionalNo
Common UsageActive Directory, SSO, secure app loginsOrganizing user accounts in ADVPNs, wireless access, ISP loginsOlder Windows environments
Password TransmissionNever sent over network (high security)Passwords may be usedPasswords sent, sometimes encryptedEncrypted but weaker
PerformanceFast and efficient in large networksDepends on server sizeFast, scalableSlower and outdated
Security LevelHigh – robust encryption and ticket systemMedium – focuses on organizationMedium – suitable for remote accessLow – vulnerable to attacks

Conclusion

In this blog, we have discussed what Kerberos is and its authentication workflow in a simple way. However, practically, the implementation of the Kerberos authentication process is much more complex. Kerberos allows companies to use its centralized authentication server for using protocols that help build security walls for software applications.

Kerberos serves as the base authentication protocol that is used in the industry for making secure software apps. It has been a proven security solution for a long period. Most operating systems use it for creating encryption algorithms.

This blog about Kerberos ends here; it has covered all about how Kerberos serves as the base for securing applications.

About the Author

Shivanshu
Shivanshu
Lead Penetration Tester, Searce Inc

Shivanshu is a distinguished cybersecurity expert and Penetration tester. He specialises in identifying vulnerabilities and securing critical systems against cyber threats. Shivanshu has a deep knowledge of tools like Metasploit, Burp Suite, and Wireshark.