Cybercrime is an unfortunate fact of life these days, regardless of whether we're talking about private consumers or the business world at large. No company or organization is safe, and the problem won't get any better anytime soon. Experts predict cybercrime damages to cost the world $25 trillion by 2025. As if that isn't bad enough, Forbes predicts that cybercriminals will pose an increasing risk to mobile devices, something that so many people use today.
These predictions, and so many others, point to the harsh reality that cybercrime is here to stay, and the problem is only going to get worse. Consequently, the digital world is eager to find and employ new strategies to strengthen cyber security.
Today, we are looking at the Kerberos authentication protocol. Let's pull back the curtain and get acquainted with this effective network protocol.
Let us begin with the basics by understanding what is Kerberos and how it works.
What is Kerberos? How Does Kerberos Work?
Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users' identities.
Initially developed by the Massachusetts Institute of Technology (MIT) for Project Athena in the late '80s, Kerberos is now the default authorization technology used by Microsoft Windows. Kerberos implementations also exist for other operating systems such as Apple OS, FreeBSD, UNIX, and Linux.
Microsoft rolled out its version of Kerberos in Windows 2000, and it's become the go-to protocol for websites and single sign-on implementations over different platforms. The Kerberos Consortium maintains the Kerberos as an open-source project.
The protocol derives its name from the legendary three-headed dog Kerberos (also known as Cerberus) from Greek myths, the canine guardian to the entrance to the underworld. Kerberos had a snake tail and a particularly bad temper and, despite one notable exception, was a very useful guardian.
But in the protocol's case, the three heads of Kerberos represent the client, the server, and the Key Distribution Center (KDC). The latter functions as the trusted third-party authentication service.
Users, machines, and services that use Kerberos depend on the KDC alone, which works as a single process that provides two functions: authentication and ticket-granting. KDC "tickets" offer authentication to all parties, allowing nodes to verify their identity securely. The Kerberos authentication process employs a conventional shared secret cryptography that prevents packets traveling across the network from being read or altered, as well as protecting messages from eavesdropping and replay (or playback) attacks.
Now that we have learned what is Kerberos, let us next understand what is Kerberos used for.
What is Kerberos Used For?
Although Kerberos is found everywhere in the digital world, it is employed heavily on secure systems that depend on reliable auditing and authentication features. Kerberos is used in Posix authentication, and Active Directory, NFS, and Samba. It's also an alternative authentication system to SSH, POP, and SMTP.
What Does Kerberos Authentication Protocol Do?
MIT developed this protocol for a project named Athena. It gets its name from the three-headed dog of Hades, who guarded hell in Greek Mythology. They chose this name because the Kerberos protocol represents the following three things:
- Network Resource (Application server)
- Key Distribution Center (KDC)
With these three components, Kerberos enables trusted host authentication over untrusted networks. Kerberos ensures that only authorized users can access the network resources. Additionally, it provides AAA security: Authentication, Authorization, and Accounting.
MIT developers developed Kerberos to authenticate themselves to their required systems securely. But Kerberos also authorized the users. The development of Kerberos happened when most systems transferred unencrypted passwords. That means hackers can get unauthorized access. Therefore, the development of Kerberos was out of necessity.
Its designers were S.P. Miller, B.C. Neuman, J.I. Schiller and J.H. Saltzer.
In Kerberos, KDC grants tickets. These allow different hosts to prove their identity. In addition, the developers intended for Kerberos' authentication that supports authorizations. That means a client authenticated by Kerberos also has access.
The Benefits of Kerberos Authentication
Kerberos brings a host of advantages to any cybersecurity setup. Its advantages include:
- Effective Access Control: Kerberos gives users a single point to keep track of logins and security policy enforcement.
- Limited Lifetime for Key Tickets: Each Kerberos ticket has a timestamp, lifetime data, and authentication duration controlled by the administrator.
- Mutual Authentication: Service systems and users can authenticate each other.
- Reusable Authentication: Kerberos user authentication is reusable and durable, requiring each user to get verified by the system just once. As long as the ticket is in effect, the user won’t have to keep entering their personal information for authentication purposes.
- Strong and Diverse Security Measures: Kerberos security authentication protocols employ cryptography, multiple secret keys, and third-party authorization, creating a strong, secure defense. Passwords do not get sent over networks, and all secret keys are encrypted.
As a part of the learning flow of learning what Kerberos is, let’s check out the Kerberos protocol flow.
Kerberos Objects Concepts and Terms
Most goals of Kerberos deal with password management. It ensures that passwords do not get transmitted over the network. They will not be on the client systems; the system will discard them immediately after use. Passwords should not be in plain text while storing. And each session must use only one password.
Additionally, all authentication information will be in a centralized server. That means
- An administrator can restrict access of any client from a centralized server.
- A single user password can access all the services.
- Protecting user information becomes less complicated as you only have to secure one server.
In Kerberos, all entities must authenticate to each other upon prompt.
The following entities use Kerberos protocols:
- Kerberos Principals: They represent a unique ID assigned to the ticket. It is the same as the user ID for most users. Kerberos identifies a principal with the following information:
- For users: it is the username; for hosts: the word host. And for services, the principal is the name of the service.
- An optional identifier that specifies the hostname
- The name of the Kerberos realm in which the Kerberos server operates.
- Kerberos Application Servers: They provide access to the resources clients need.
- Kerberos KDC: This entity provides access to the resources, such as terminal emulation and remote computing.
- Kerberos Database: This database has the record of each principal. It is a centralized repository of Kerberos and contains the identification of clients and their access.
- Kerberos Authentication Service: This service grants the Ticket Granting Ticket (TGT) for clients.
- Kerberos Ticket Granting Service: This service authenticates the clients based on the TGT.
After authentication, the user gets an authentication ticket. The client can use the authentication ticket to get tickets for accessing application services.
What is Kerberos: Protocol Flow Overview
Here’s a more detailed look at what Kerberos authentication is all about. We will also learn how it works by breaking it down into its core components.
Here are the principal entities involved in the typical Kerberos workflow:
- Client: The client acts on behalf of the user and initiates communication for a service request
- Server: The server hosts the service the user wants to access
- Authentication Server (AS): The AS performs the desired client authentication. If the authentication happens successfully, the AS issues the client a ticket called TGT (Ticket Granting Ticket). This ticket assures the other servers that the client is authenticated
- Key Distribution Center (KDC): In a Kerberos environment, the authentication server logically separated into three parts: A database (db), the Authentication Server (AS), and the Ticket Granting Server (TGS). These three parts, in turn, exist in a single server called the Key Distribution Center
- Ticket Granting Server (TGS): The TGS is an application server that issues service tickets as a service
Now let's break down the protocol flow.
First, there are three crucial secret keys involved in the Kerberos flow. There are unique secret keys for the client/user, the TGS, and the server shared with the AS.
- Client/user: Hash derived from the user's password
- TGS secret key: Hash of the password employed in determining the TGS
- Server secret key: Hash of the password used to determine the server providing the service.
The protocol flow consists of the following steps:
Step 1: Initial client authentication request. The user asks for a Ticket Granting Ticket (TGT) from the authentication server (AS). This request includes the client ID.
Step 2: KDC verifies the client's credentials. The AS checks the database for the client and TGS's availability. If the AS finds both values, it generates a client/user secret key, employing the user's password hash.
The AS then computes the TGS secret key and creates a session key (SK1) encrypted by the client/user secret key. The AS then generates a TGT containing the client ID, client network address, timestamp, lifetime, and SK1. The TGS secret key then encrypts the ticket.
Step 3: The client decrypts the message. The client uses the client/user secret key to decrypt the message and extract the SK1 and TGT, generating the authenticator that validates the client's TGS.
Step 4: The client uses TGT to request access. The client requests a ticket from the server offering the service by sending the extracted TGT and the created authenticator to TGS.
Step 5: The KDC creates a ticket for the file server. The TGS then uses the TGS secret key to decrypt the TGT received from the client and extracts the SK1. The TGS decrypts the authenticator and checks to see if it matches the client ID and client network address. The TGS also uses the extracted timestamp to make sure the TGT hasn't expired.
If the process conducts all the checks successfully, then the KDC generates a service session key (SK2) that is shared between the client and the target server.
Finally, the KDC creates a service ticket that includes the client id, client network address, timestamp, and SK2. This ticket is then encrypted with the server's secret key obtained from the db. The client receives a message containing the service ticket and the SK2, all encrypted with SK1.
Step 6: The client uses the file ticket to authenticate. The client decrypts the message using SK1 and extracts SK2. This process generates a new authenticator containing the client network address, client ID, and timestamp, encrypted with SK2, and sends it and the service ticket to the target server.
Step 7: The target server receives decryption and authentication. The target server uses the server's secret key to decrypt the service ticket and extract the SK2. The server uses SK2 to decrypt the authenticator, performing checks to make sure the client ID and client network address from the authenticator and the service ticket match. The server also checks the service ticket to see if it's expired.
Once the checks are met, the target server sends the client a message verifying that the client and the server have authenticated each other. The user can now engage in a secure session.
After coming so far in learning what Kerberos is, let us next look into the topic if Kerberos is infallible.
How Do Kerberos Authentication Protocols Work?
Below you can see a crude version of how the Kerberos Authentication Protocols work:
- Authentication Server Request: The client requests authentication from KDC. This authentication request would be in plain text.
- Authentication Server Response: KDC sends a TGT and a session key if the client exists in the database. If the client is not in the database, the authentication fails.
- Service Ticket Request: The client asks for the service ticket along with the TGT sent earlier by the KDC.
- Service Ticket Response: KDC sends the ticket encrypted with the session key. The client can use the session key sent earlier by KDC to decrypt the service ticket.
- Application Server Request: The client requests the application server for access using the service ticket. T
- Application Server Response: The application server authenticates the client. It sends a ticket that will grant access to that particular service.
The service ticket has a specific expiry time. You can use the same session ticket to access services until it expires. The default lifetime of a Kerberos ticket is 600 minutes.
Kerberos vs. Other Network Authentication Protocols
There are other authentication protocols besides Kerberos; you can read them below.
Kerberos vs. Microsoft New Technology LAN Manager (NTLM)
NTLM by Microsoft is the former technology used by Windows. From Windows 2000, all editions use Kerberos. In addition, NTLM used a challenge-response authentication. Here, the server asks a question, and the client must answer.
Kerberos vs. Lightweight Directory Access Protocol (LDAP)
Using LDAP, you can maintain information about users. Moreover, you can find Kerberos and LDAP on one network: LDAP provides authorization service, and Kerberos authenticates.
Kerberos vs. Remote Authentication Dial-in User Service (RADIUS)
Its goal was to allow dial-in users to access Internet Service Providers remotely. However, network services use it for accounting and authenticating along with Kerberos.
Is Kerberos Secure?
Now, you know the answer to the question, "What is Kerberos?". You might be wondering if it is secure.
Security practitioners worldwide consider Kerberos to be secure. It has strong encryption to secure data. However, security researchers have found few ways to defeat Kerberos.
- Pass-the-key attack: Attackers impersonate clients by using their credentials.
- Pass-the-ticket attack: Attackers use the ticket when KDC sends the session ticket.
- Golden ticket attack: Attackers use Windows domain controllers to create client credentials.
Can Kerberos be Hacked?
No security measure is 100% impregnable, and Kerberos is no exception. Since it's been around for so long, hackers have had the opportunity over the years to find ways around it, usually by forging tickets, making repeated attempts to guess passwords (brute force/credential stuffing), and using malware to downgrade the encryption.
Despite this, Keberos is still the best security access protocol available today. The protocol is flexible enough to employ more robust encryption algorithms to help combat new threats, and if users practice good password choice policies, you should be fine!
Is Kerberos Obsolete?
Longevity doesn’t automatically mean obsolescence. Despite some instances where cyber-criminals have broken through Kerberos (and we’ve already established that no security system is 100 percent impregnable), it’s still in heavy use and enjoys a solid reputation.
Wish to accelerate your cyber security career? Try answering these CISSP Exam Prep Practice Test and know your understanding of the concepts.
Do You Want to Learn More About Cyber Security?
The cybersecurity field is a vast and diverse place, covering many different topics, subjects, and procedures. If you're looking for effective ways to improve your cybersecurity knowledge, then you should consider some of the following.
There is a steady demand for certified ethical hackers to help test systems and spot vulnerabilities. Check out Simplilearn's Ethical Hacking Course course and get started on the career path of a white hat hacker. Or, maybe you want more knowledge regarding relevant IS topics like CompTIA Security+ or COBIT 2019.
Perhaps you want to explore different information security training courses such as Certified Information Security Manager, Certified Cloud Security Professional, or Certified Information Systems Auditor.
Finally, you can shoot for the prestigious Cyber Security Expert Master's Program, which covers many of the above topics in one convenient plan. Indeed reports that cybersecurity specialists in the United States can earn an average of $108,389 annually, while the same position in India brings in an average yearly salary of ₹963,367.
Do You Want a Cyber Security Career?
If you're looking for a career that's challenging, rewarding, and offers excellent job security, then a position in the field of information security is for you! Simplilearn's Certified Information Systems Security Professional (CISSP) Certification training course helps you realize your dream by developing your expertise in defining the IT security architecture using globally approved information security standards. The comprehensive course teaches you common techniques used in the industry and prepares you for the CISSP certification exam held by (ISC)².
You get 67 hours of in-depth learning, five simulation test papers to help prepare you for CISSP certification, the requisite 30 CPEs needed for taking the exam, and a voucher for the exam itself.
If you have any kind of doubts, feel free to post them in the comments below. Our team will get back to you at the earliest.
Don't delay! Get started today, and let Simplilearn help you reach your cybersecurity goals!