What Is Kerberos, How Does It Work, and What Is It Used For?

Cybercrime is an unfortunate fact of life these days, regardless of whether we're talking about private consumers or the business world at large. No company or organization is safe, and the problem won't get any better anytime soon. Experts predict cybercrime damages to cost the world $6.1 trillion by 2021. As if that isn't bad enough, Forbes predicts that an increasing number of cybercriminals will be using Artificial Intelligence (AI) to scale their attacks.

These predictions, and so many others, point to the harsh reality that cybercrime is here to stay, and the problem is only going to get worse. Consequently, the digital world is eager to find and employ new strategies to strengthen cyber security.

Today, we are looking at authentication protocols—Kerberos, to be exact. Let's pull back the curtain and get acquainted with this effective network protocol, including what is Kerberos authentication, what is Kerberos protocol, and what does Kerberos do.

Let us begin with the basics by understanding what is Kerberos and how it works.

Get skilled in Cyber Security and beat hackers in their own game with the Certified Ethical Hacker Training Course! Enroll now!

What is Kerberos? And How Does it Work?

Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users' identities.

Initially developed by the Massachusetts Institute of Technology (MIT) for Project Athena in the late '80s, Kerberos is now the default authorization technology used by Microsoft Windows. Kerberos implementations also exist for other operating systems such as Apple OS, FreeBSD, UNIX, and Linux.

Microsoft rolled out its version of Kerberos in Windows 2000, and it's become the go-to protocol for websites and single sign-on implementations over different platforms. The Kerberos Consortium maintains the Kerberos as an open-source project.

The protocol derives its name from the legendary three-headed dog Kerberos (also known as Cerberus) from Greek myths, the canine guardian to the entrance to the underworld. Kerberos had a snake tail and a particularly bad temper and, despite one notable exception, was a very useful guardian.

But in the protocol's case, the three heads of Kerberos represent the client, the server, and the Key Distribution Center (KDC). The latter functions as the trusted third-party authentication service.

Users, machines, and services that use Kerberos depend on the KDC alone, which works as a single process that provides two functions: authentication and ticket-granting. KDC "tickets" offer authentication to all parties, allowing nodes to verify their identity securely. The Kerberos authentication process employs a conventional shared secret cryptography that prevents packets traveling across the network from being read or altered, as well as protecting messages from eavesdropping and replay (or playback) attacks.

Now that we have learned what is Kerberos, let us next understand what is Kerberos used for.

Cybersecurity Expert Master's Program

Master the Skills of a Cybersecurity ProfessionalView Course
Cybersecurity Expert Master's Program

What is Kerberos Used For?

Although Kerberos is found everywhere in the digital world, it is employed heavily on secure systems that depend on reliable auditing and authentication features. Kerberos is used in Posix authentication, and Active Directory, NFS, and Samba. It's also an alternative authentication system to SSH, POP, and SMTP.

As a part of the learning flow of what Kerberos is, let us next learn about the Kerberos protocol flow.

Kerberos Protocol Flow Overview

Let's take a more detailed look at what Kerberos authentication is and how it works by breaking it down into its core components.

Here are the principal entities involved in the typical Kerberos workflow:

  • Client. The client acts on behalf of the user and initiates communication for a service request
  • Server. The server hosts the service the user wants to access
  • Authentication Server (AS). The AS performs the desired client authentication. If the authentication happens successfully, the AS issues the client a ticket called TGT (Ticket Granting Ticket). This ticket assures the other servers that the client is authenticated
  • Key Distribution Center (KDC). In a Kerberos environment, the authentication server logically separated into three parts: A database (db), the Authentication Server (AS), and the Ticket Granting Server (TGS). These three parts, in turn, exist in a single server called the Key Distribution Center
  • Ticket Granting Server (TGS). The TGS is an application server that issues service tickets as a service

Now let's break down the protocol flow.

First, there are three crucial secret keys involved in the Kerberos flow. There are unique secret keys for the client/user, the TGS, and the server shared with the AS.

  • Client/user. Hash derived from the user's password
  • TGS secret key. Hash of the password employed in determining the TGS
  • Server secret key. Hash of the password used to determine the server providing the service.

The protocol flow consists of the following steps:

Step 1: Initial client authentication request. The user asks for a Ticket Granting Ticket (TGT) from the authentication server (AS). This request includes the client ID.

Step 2: KDC verifies the client's credentials. The AS checks the database for the client and TGS's availability. If the AS finds both values, it generates a client/user secret key, employing the user's password hash.

The AS then computes the TGS secret key and creates a session key (SK1) encrypted by the client/user secret key. The AS then generates a TGT containing the client ID, client network address, timestamp, lifetime, and SK1. The TGS secret key then encrypts the ticket.

Step 3: The client decrypts the message. The client uses the client/user secret key to decrypt the message and extract the SK1 and TGT, generating the authenticator that validates the client's TGS.

Step 4: The client uses TGT to request access. The client requests a ticket from the server offering the service by sending the extracted TGT and the created authenticator to TGS.

Step 5: The KDC creates a ticket for the file server. The TGS then uses the TGS secret key to decrypt the TGT received from the client and extracts the SK1. The TGS decrypts the authenticator and checks to see if it matches the client ID and client network address. The TGS also uses the extracted timestamp to make sure the TGT hasn't expired.

If the process conducts all the checks successfully, then the KDC generates a service session key (SK2) that is shared between the client and the target server.

Finally, the KDC creates a service ticket that includes the client id, client network address, timestamp, and SK2. This ticket is then encrypted with the server's secret key obtained from the db. The client receives a message containing the service ticket and the SK2, all encrypted with SK1.

Step 6: The client uses the file ticket to authenticate. The client decrypts the message using SK1 and extracts SK2. This process generates a new authenticator containing the client network address, client ID, and timestamp, encrypted with SK2, and sends it and the service ticket to the target server.

Step 7: The target server receives decryption and authentication.  The target server uses the server's secret key to decrypt the service ticket and extract the SK2. The server uses SK2 to decrypt the authenticator, performing checks to make sure the client ID and client network address from the authenticator and the service ticket match. The server also checks the service ticket to see if it's expired.

Once the checks are met, the target server sends the client a message verifying that the client and the server have authenticated each other. The user can now engage in a secure session.

After coming so far in learning what Kerberos is, let us next look into the topic if Kerberos is infallible.

Is Kerberos Infallible?

No security measure is 100% impregnable, and Kerberos is no exception. Since it's been around for so long, hackers have had the opportunity over the years to find ways around it, usually by forging tickets, making repeated attempts to guess passwords (brute force/credential stuffing), and using malware to downgrade the encryption.

Despite this, Keberos is still the best security access protocol available today. The protocol is flexible enough to employ more robust encryption algorithms to help combat new threats, and if users practice good password choice policies, you should be fine!

Wish to accelerate your cyber security career? Try answering these CISSP Exam Prep Practice Test and know your understanding of the concepts.

Do You Want to Learn More About Cyber Security?

The cybersecurity field is a vast and diverse place, covering many different topics, subjects, and procedures. If you're looking for effective ways to improve your cybersecurity knowledge, then you should consider some of the following.

There is a steady demand for certified ethical hackers to help test systems and spot vulnerabilities. Check out Simplilearn's Ethical Hacking Course course and get started on the career path of a white hat hacker. Or, maybe you want more knowledge regarding relevant IS topics like CompTIA Security+  or COBIT 5.

Perhaps you want to explore different information security training courses such as Certified Information Security Manager, Certified Cloud Security Professional, or Certified Information Systems Auditor.

Finally, you can shoot for the prestigious Cyber Security Expert Master's Program, which covers many of the above topics in one convenient plan.

Cybersecurity Career Guide

The Path to Becoming a Cybersecurity ExpertDOWNLOAD GUIDE
Cybersecurity Career Guide

Do You Want a Cyber Security Career?

If you're looking for a career that's challenging, rewarding, and offers excellent job security, then a position in the field of information security is for you! Simplilearn's Certified Information Systems Security Professional (CISSP) Certification training course helps you realize your dream by developing your expertise in defining the IT security architecture using globally approved information security standards. The comprehensive course teaches you common techniques used in the industry and prepares you for the CISSP certification exam held by (ISC)².

You get 67 hours of in-depth learning, five simulation test papers to help prepare you for CISSP certification, the requisite 30 CPEs needed for taking the exam, and a voucher for the exam itself.

Don't delay! Get started today, and let Simplilearn help you reach your cybersecurity goals! 

About the Author

SimplilearnSimplilearn

Simplilearn is one of the world’s leading providers of online training for Digital Marketing, Cloud Computing, Project Management, Data Science, IT, Software Development, and many other emerging technologies.

View More
  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.