Cybercrime is an unfortunate fact of life these days, regardless of whether we're talking about private consumers or the business world at large. No company or organization is safe, and the problem won't get any better anytime soon. Experts predict cybercrime damages to cost the world $25 trillion by 2025. As if that isn't bad enough, Forbes predicts that cybercriminals will pose an increasing risk to mobile devices, something that so many people use today.
These predictions, and so many others, point to the harsh reality that cybercrime is here to stay, and the problem is only going to get worse. Consequently, the digital world is eager to find and employ new strategies to strengthen cyber security.
Today, we are looking at the Kerberos authentication protocol. Let's pull back the curtain and get acquainted with this effective network protocol.
Let us begin with the basics by understanding what is Kerberos and how it works.
What is Kerberos? And How Does it Work?
Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users' identities.
Initially developed by the Massachusetts Institute of Technology (MIT) for Project Athena in the late '80s, Kerberos is now the default authorization technology used by Microsoft Windows. Kerberos implementations also exist for other operating systems such as Apple OS, FreeBSD, UNIX, and Linux.
Microsoft rolled out its version of Kerberos in Windows 2000, and it's become the go-to protocol for websites and single sign-on implementations over different platforms. The Kerberos Consortium maintains the Kerberos as an open-source project.
The protocol derives its name from the legendary three-headed dog Kerberos (also known as Cerberus) from Greek myths, the canine guardian to the entrance to the underworld. Kerberos had a snake tail and a particularly bad temper and, despite one notable exception, was a very useful guardian.
But in the protocol's case, the three heads of Kerberos represent the client, the server, and the Key Distribution Center (KDC). The latter functions as the trusted third-party authentication service.
Users, machines, and services that use Kerberos depend on the KDC alone, which works as a single process that provides two functions: authentication and ticket-granting. KDC "tickets" offer authentication to all parties, allowing nodes to verify their identity securely. The Kerberos authentication process employs a conventional shared secret cryptography that prevents packets traveling across the network from being read or altered, as well as protecting messages from eavesdropping and replay (or playback) attacks.
Now that we have learned what is Kerberos, let us next understand what is Kerberos used for.
What is Kerberos Used For?
Although Kerberos is found everywhere in the digital world, it is employed heavily on secure systems that depend on reliable auditing and authentication features. Kerberos is used in Posix authentication, and Active Directory, NFS, and Samba. It's also an alternative authentication system to SSH, POP, and SMTP.
The Benefits of Kerberos Authentication
Kerberos brings a host of advantages to any cybersecurity setup. Its advantages include:
- Effective Access Control: Kerberos gives users a single point to keep track of logins and security policy enforcement.
- Limited Lifetime for Key Tickets: Each Kerberos ticket has a timestamp, lifetime data, and authentication duration controlled by the administrator.
- Mutual Authentication: Service systems and users can authenticate each other.
- Reusable Authentication: Kerberos user authentication is reusable and durable, requiring each user to get verified by the system just once. As long as the ticket is in effect, the user won’t have to keep entering their personal information for authentication purposes.
- Strong and Diverse Security Measures: Kerberos security authentication protocols employ cryptography, multiple secret keys, and third-party authorization, creating a strong, secure defense. Passwords do not get sent over networks, and all secret keys are encrypted.
As a part of the learning flow of learning what Kerberos is, let’s check out the Kerberos protocol flow.
What is Kerberos: Protocol Flow Overview
Here’s a more detailed look at what Kerberos authentication is all about. We will also learn how it works by breaking it down into its core components.
Here are the principal entities involved in the typical Kerberos workflow:
- Client: The client acts on behalf of the user and initiates communication for a service request
- Server: The server hosts the service the user wants to access
- Authentication Server (AS): The AS performs the desired client authentication. If the authentication happens successfully, the AS issues the client a ticket called TGT (Ticket Granting Ticket). This ticket assures the other servers that the client is authenticated
- Key Distribution Center (KDC): In a Kerberos environment, the authentication server logically separated into three parts: A database (db), the Authentication Server (AS), and the Ticket Granting Server (TGS). These three parts, in turn, exist in a single server called the Key Distribution Center
- Ticket Granting Server (TGS): The TGS is an application server that issues service tickets as a service
Now let's break down the protocol flow.
First, there are three crucial secret keys involved in the Kerberos flow. There are unique secret keys for the client/user, the TGS, and the server shared with the AS.
- Client/user: Hash derived from the user's password
- TGS secret key: Hash of the password employed in determining the TGS
- Server secret key: Hash of the password used to determine the server providing the service.
The protocol flow consists of the following steps:
Step 1: Initial client authentication request. The user asks for a Ticket Granting Ticket (TGT) from the authentication server (AS). This request includes the client ID.
Step 2: KDC verifies the client's credentials. The AS checks the database for the client and TGS's availability. If the AS finds both values, it generates a client/user secret key, employing the user's password hash.
The AS then computes the TGS secret key and creates a session key (SK1) encrypted by the client/user secret key. The AS then generates a TGT containing the client ID, client network address, timestamp, lifetime, and SK1. The TGS secret key then encrypts the ticket.
Step 3: The client decrypts the message. The client uses the client/user secret key to decrypt the message and extract the SK1 and TGT, generating the authenticator that validates the client's TGS.
Step 4: The client uses TGT to request access. The client requests a ticket from the server offering the service by sending the extracted TGT and the created authenticator to TGS.
Step 5: The KDC creates a ticket for the file server. The TGS then uses the TGS secret key to decrypt the TGT received from the client and extracts the SK1. The TGS decrypts the authenticator and checks to see if it matches the client ID and client network address. The TGS also uses the extracted timestamp to make sure the TGT hasn't expired.
If the process conducts all the checks successfully, then the KDC generates a service session key (SK2) that is shared between the client and the target server.
Finally, the KDC creates a service ticket that includes the client id, client network address, timestamp, and SK2. This ticket is then encrypted with the server's secret key obtained from the db. The client receives a message containing the service ticket and the SK2, all encrypted with SK1.
Step 6: The client uses the file ticket to authenticate. The client decrypts the message using SK1 and extracts SK2. This process generates a new authenticator containing the client network address, client ID, and timestamp, encrypted with SK2, and sends it and the service ticket to the target server.
Step 7: The target server receives decryption and authentication. The target server uses the server's secret key to decrypt the service ticket and extract the SK2. The server uses SK2 to decrypt the authenticator, performing checks to make sure the client ID and client network address from the authenticator and the service ticket match. The server also checks the service ticket to see if it's expired.
Once the checks are met, the target server sends the client a message verifying that the client and the server have authenticated each other. The user can now engage in a secure session.
After coming so far in learning what Kerberos is, let us next look into the topic if Kerberos is infallible.
Can Kerberos be Hacked?
No security measure is 100% impregnable, and Kerberos is no exception. Since it's been around for so long, hackers have had the opportunity over the years to find ways around it, usually by forging tickets, making repeated attempts to guess passwords (brute force/credential stuffing), and using malware to downgrade the encryption.
Despite this, Keberos is still the best security access protocol available today. The protocol is flexible enough to employ more robust encryption algorithms to help combat new threats, and if users practice good password choice policies, you should be fine!
Is Kerberos Obsolete?
Longevity doesn’t automatically mean obsolescence. Despite some instances where cyber-criminals have broken through Kerberos (and we’ve already established that no security system is 100 percent impregnable), it’s still in heavy use and enjoys a solid reputation.
Wish to accelerate your cyber security career? Try answering these CISSP Exam Prep Practice Test and know your understanding of the concepts.
Do You Want to Learn More About Cyber Security?
The cybersecurity field is a vast and diverse place, covering many different topics, subjects, and procedures. If you're looking for effective ways to improve your cybersecurity knowledge, then you should consider some of the following.
There is a steady demand for certified ethical hackers to help test systems and spot vulnerabilities. Check out Simplilearn's Ethical Hacking Course course and get started on the career path of a white hat hacker. Or, maybe you want more knowledge regarding relevant IS topics like CompTIA Security+ or COBIT 2019.
Perhaps you want to explore different information security training courses such as Certified Information Security Manager, Certified Cloud Security Professional, or Certified Information Systems Auditor.
Finally, you can shoot for the prestigious Cyber Security Expert Master's Program, which covers many of the above topics in one convenient plan. Indeed reports that cybersecurity specialists in the United States can earn an average of $108,389 annually, while the same position in India brings in an average yearly salary of ₹963,367.
Do You Want a Cyber Security Career?
If you're looking for a career that's challenging, rewarding, and offers excellent job security, then a position in the field of information security is for you! Simplilearn's Certified Information Systems Security Professional (CISSP) Certification training course helps you realize your dream by developing your expertise in defining the IT security architecture using globally approved information security standards. The comprehensive course teaches you common techniques used in the industry and prepares you for the CISSP certification exam held by (ISC)².
You get 67 hours of in-depth learning, five simulation test papers to help prepare you for CISSP certification, the requisite 30 CPEs needed for taking the exam, and a voucher for the exam itself.
Don't delay! Get started today, and let Simplilearn help you reach your cybersecurity goals!