Home > Blog > Cyber Security Articles > What is Kerberos? Working and Authentication

What is Kerberos? Working and Authentication

What is Kerberos? Working and Authentication

Table of content

Show More

As per Forbes, 34.5% of the executives polled last year said that cyber adversaries attacked their organization’s accounting and financial information. It is however shocking that from this group, 22% experienced one or more cyber incidents while 12.5% were hit several times. These figures underscore how insecure financial systems are to cyber threats.

Watch the below video to learn about cybersecurity:

Video Thumbnail

What Is Kerberos?

Kerberos is a computer network security authentication protocol that authorizes service requests between trusted hosts on the untrusted network and the internet through a key-ticket system. It was created by the Massachusetts Institute of Technology (MIT) in 1987 for the project Athena. The name Kerberos originated from the Greek mythology name “Cerberus,” meaning a three-headed dog who guarded the gates of Hades. 

Kerberos can be defined as:

  1. Centralized authentication system
  2. Verifies user access rights
  3. Issue tickets for accessing the resources

Also, learn about the cipher

Kerberos Objects

In Kerberos, the key objects are the Principals, Key Distribution Center (KDC), Authentication Server (AS),  Ticket Granting Server (TGS), Service Tickets, Keytaba, and Realms. With the use of these objects, Kerberos can authenticate the requests and provide a secure authentication pass to websites and users. They ensure safe authentication along with the access controls required within the network environment.

Enroll in this Ethical Hacking Course to head toward a bright future!

Key Kerberos Components and Architecture

In Kerberos, the various components of the architecture are: 

1. Client: The client starts the authentication process. Interacts with the Kerberos system to get tickets for using network services.

2. Authentication Server: The Authentication Server (AS) is where clients go first for authentication. It checks client identities. Gives out Ticket Granting Tickets (TGTs) once authentication is successful.

3. Ticket Granting Server: The Ticket Granting Server (TGS) provides service tickets to clients, allowing them access to network services. Clients show their TGTs to the TGS when asking for service tickets.

4.  Key Distribution Center: The Key Distribution Center (KDC) combines the roles of AS and TGS. It acts as a hub for authentication services in Kerberos, handling authentication requests and ticket issuance.

5. Principals: They are identities in the Kerberos system representing users, hosts, or services. Each principal has a name. Belongs to a specific realm.

6. Realm: A realm is a domain in Kerberos identified by a realm name. It consists of a group of principals and services managed by a KDC.

7. Service: Services refer to network resources or applications used by clients. Each service has a service principal associated with it for authentication and ticket issuance.

8. Ticket: Tickets are encrypted tokens given out by the AS or TGS, allowing access to services. The files hold details regarding the client’s identification, desired service, and temporary access key.

9. Keytabs: Keytabs are files that store long-term keys, also known as service keys; they are stored in the Kerberos database. They are automated authentication services and an alternative to password-based authentication.

10. Session key: These keys serve as codes embedded in service tickets. They enable the encryption of exchanges between clients and services during verified sessions.

11. Encryption types: Kerberos offers a range of encryption techniques to safeguard authentication and communication, such as DES, Triple DES, AES, and RC4.

Check out the blog on what is privacy.

Working of Kerberos

Kerberos is a network authentication protocol that uses symmetric-key cryptography to authenticate users and services without transmitting passwords over the network. Let’s have a look at the steps:

  1. Initialization: The Kerberos system starts by configuring the Key Distribution Centre (KDC); each user and Kerberos authentication are already registered at KDC. KDC assigns a unique key, which is only visible to itself.
  2. Authentication Request: For the authentication, the user first responds with plain text to the Authentication Server, which then identifies and generates the Ticket Granting Ticket (TGT) with a symmetric key.
  3. Ticket Granting: After successful authentication, the AS forwards the encrypted TGT to the user. TGTs serve as request service tickets without the need for the ticket to re-authenticate.
  4. Service Ticket Request: For accessing a specific service, the user requests the TGS along with the TGT; the service is included in the service requested by the user.
  5. Service Ticket Generation: Ticket Generating Service (TGS) verifies the TGT provided by the user and, if valid, issues a Service Ticket (ST) for the demanded service.
  6. Service Ticket Presentation: The user represents the ST it wants to access, and the service is decrypted by the ST using the secret key shared with TGS, which verifies the user’s identity and Timestamp.
  7. Session Establishment: After successful validation by ST, it establishes the session with the user. The session key in ST is used for encrypting communication between the user and the service during the session.
  8. Ticket Expiration and Renewal: Kerberos tickets, along with TGTs and STs, have a limited validity period to prevent replay attacks. A request by a user can be made to renew a service through KDC.

Looking to get started in Ethical Hacking? Head to our blog on Ethical Hacking Tutorial for beginners.

Usage of Kerberos

As a network security protocol, Kerberos is utilized in security systems requiring reliable authentication and auditing features such as POSIX authentication, Active Directory, NFS, and Samba. Some usages are:

  • Single Sign On (SSO): It is commonly used in business settings with Microsoft Active Directory. Users log in using their domain credentials and once authenticated through the Kerberos protocol, they can access network resources like shared folders, printers, and applications without having to re-enter their login details. This smooth access is made possible by the Kerberos Single Sign-On feature.
  • Network Authentication: For accessing shared folders within a Windows domain, the user’s computer sends an authentication request to the Key Distribution Center (KDC) via Kerberos. Following authentication, the KDC issues a ticket that the user then presents to the file server for access. The file server validates this ticket with the KDC before granting entry to the shared folder.
  • Mutual Authentication: It plays a role when a client application connects to a database server using Kerberos for authentication. As part of establishing this connection, both the client and server authenticate each other through Kerberos. This mutual verification ensures trust between both parties, safeguarding against access and data breaches.
  • Access Control Enforcement: in a Unix-based environment utilization of Kerberos for authentication is considered when a user is trying to access a file on a server. The server cross-checks the user’s ticket to confirm their identity and permissions. When the ticket contains data, the server decides whether to permit or reject entry to the file based on access control rules.
  • Authentication for Protocols: It involves enhancing access via SSH. Depending on username and password verification, SSH can be set up to utilize Kerberos tickets for authenticating and add an extra level of protection against brute force attacks and password interception.

Also, check out the Kali Linux Tutorial

Get 100% Hike!

Master Most in Demand Skills Now!

Features of the Kerberos Authentication Protocol 

  • Kerberos authentication streamlines access control by serving as an authentication server for a network, making it easier to manage user access rights and security policies.
  • This setup removes the need for individual services to handle authentication, ensuring consistent access control network-wide.
  • It issues time-limited tickets, usually lasting from hours to days, which narrows the window for attacks. Users must re-authenticate with Kerberos to get tickets once they expire, ensuring access control.
  • Kerberos facilitates mutual authentication between users and network services. Both parties confirm each other’s identities, preventing entry and impersonation attempts.
  • After being verified, users can reach network resources without entering credentials, boosting efficiency while upholding security standards.
  • Kerberos employs security measures such as encryption to safeguard data like passwords and keys from being transmitted in plain text. 
  • By using algorithms and secure protocols, it thwarts eavesdropping and tampering efforts, establishing a security framework for network authentication and access control.

Enhance your cybersecurity skills with our comprehensive Cyber Security Training program!

Advantages of Kerberos Authentication

Kerberos authentication protocol provides the users with centralized access control, controlled ticket lifetimes, mutual authentication, reusable authentication, and strong security measures. 

  1.  Enhanced Access Control: Kerberos streamlines user logins and enforces security policies, making access control management more straightforward.
  1.  Time Limited Key Tickets: Each Kerberos ticket includes a timestamp and expiration date, empowering administrators to regulate authentication duration.
  1.  Mutual Authentication: Users and service systems authenticate, bolstering security measures.
  1.  Reusable Authentication: With Kerberos, users can enjoy long-lasting authentication without the need for logins as long as the ticket remains valid.
  1.  Robust Security Protocols: Kerberos implements security protocols like cryptography, multiple secret keys, and third-party authorization. Passwords are securely encrypted without transmission over networks.

EPGC in Cyber Security and Ethical Hacking

Kerberos Protocol Flow

The flow of Kerberos consists of client verification, ticket generation, requests through the service, ticket grants, accessing the services, and the establishment of a session key.

1. Request for Client Verification:

  • Starts the process by asking for a Ticket Granting Ticket (TGT) from the Authentication Server (AS).
  • Includes the client’s username in the request.

2. TGT Issued by AS:

  • AS confirms the client’s identity. Provides a TGT encrypted with a session key generated from the client’s password.
  • The TGT acts as authentication for the client.

3. Request for Service Ticket:

  • The client asks the Ticket Granting Server (TGS) for a service ticket to access a network service.
  • This request includes the TGT received from AS and details of the desired service.

4. Service Ticket Granted by TGS:

  • TGS validates the TGT and permits access to the service.
  • A service ticket is encrypted with a session key shared with the target service.

5. Accessing Services:

  • The client submits the service ticket to gain entry to the desired service.
  • The target service decrypts this ticket using their shared session key to confirm identity.

Upon verification, the client is granted access to that service.

6. Establishing Session Key:

  • While accessing services, both the client and server establish a session key for communication.
  • This session key is used to encrypt and decrypt messages exchanged between them during interaction. Upon finishing or when the session expires, the session key becomes unusable. To continue with sessions and uphold security measures, re-authentication is necessary to deter access.

Also, check out the blog What is Cyber Crime?

Kerberos vs. Other Networks

1. Comparison between Kerberos and Lightweight Directory Access Protocol (LDAP):

  • For authentication, Kerberos focuses on using tickets to authorize access to network services. It relies on a Key Distribution Center (KDC) for issuing tickets.
  • LDAP serves as a protocol for managing directory services like Active Directory. Its main role is to store and organize information related to network resources, such as user accounts, rather than focusing on authentication.

2. Contrast between Kerberos and Remote Authentication Dial-in User Service (RADIUS):

  • Providing authentication for hosts over insecure networks like the internet is where Kerberos shines. It employs tickets, and it is dependent on symmetric key cryptography for communications.
  • RADIUS functions as a networking protocol that centrally manages authentication, authorization, and accounting (AAA) for users accessing network services. It is commonly employed in scenarios involving access, like dial-up or VPN connections.

3. Differences between Kerberos and Microsoft NT LAN Manager (NTLM):

  • As the default authentication protocol in Windows systems starting from Windows 2000 onwards, Kerberos offers features such as authentication and encrypted communication.
  • NTLM, an authentication protocol before Kerberos in Windows environments, is responsible for employing challenge-response mechanisms. It is deemed more secure than Kerberos.

Conclusion

In this blog, we have discussed what Kerberos is and its authentication workflow in a simple way. However, practically, the implementation of the Kerberos authentication process is much more complex. Kerberos allows companies to use its centralized authentication server for using protocols that help build security walls for software applications.

Kerberos serves as the base authentication protocol that is used in the industry for making secure software apps. It has been a proven security solution for a long period. Most operating systems use it for creating encryption algorithms.

This blog about Kerberos ends here; it has covered all about how Kerberos serves as the base for securing applications.

About the Author

Shivanshu
Shivanshu
Lead Penetration Tester, Searce Inc

Shivanshu is a distinguished cybersecurity expert and Penetration tester. He specialises in identifying vulnerabilities and securing critical systems against cyber threats. Shivanshu has a deep knowledge of tools like Metasploit, Burp Suite, and Wireshark.