Which type of protocol is kerberos?

Kerberos is a strong network authentication protocol which facilitates secure communications between Client and Server. It’s based on symmetric key encryption and uses three shared secret keys to ensure secure communication. It provides a solid mechanism to authenticate users without using the ordinary Username/Password methods and totally avoids the transferring of the password over the network.

The term ‘Kerberos’ originally comes from Greek mythology stories which refer to a three-headed hound that guards the gates to the underworld. The protocol got its name because it uses three shared secret keys in its flow, which symbolizes three heads of the Kerberos hound.

Let’s suppose that a particular client wants to access the resources of a remote server using the Kerberos protocol. In such a case, the client must be first verified through a trusted third party. We call this third party as Key Distribution Center (KDC). A KDC includes two servers. Which are,
- Authentication Server (AC)
- Ticket Granting Server (TGS)

Keeping those details in mind, let’s come to the summarized flow of the Kerberos authentication protocol.

Step1:
The client sends a request to the AS, asking for a ticket to access the resources of the target server along with the userID/username of the client. This request is encrypted using the client password which is stored in a database that can be accessed by both the client and the AS. So the client password works as the first secret key which has been shared between the client and the AS.

Step2:
After receiving the request, the AS will retrieve the password from the database using the username and then use that particular password to decrypt the client request. So the user is verified.
After verifying the user, the AS sends a ticket called Ticket Granting Ticket (TGT) to the client. This TGT is encrypted using the second secret key in the protocol which is shared between the AS and the TGS.

Step3:
The client receives the ticket and sends it to TGS along with a request to access the resources of the target server.

Step4:
The TGS receives the ticket and the request. It decrypts the ticket using the secret key shared with the AS.
Then the TGS issues a token to the client which is encrypted using another shared secret key between the TGS and the target server. This makes the total number of shared keys to 3.

Step5:
The client sends this token to the remote server. The server decrypts it using the shared key with the TGS and validates the token.

Step6:
If the token is proven to be valid, the server sends permission granting response to the client so that it can use the resources of the server for a certain period of time as defined in the token.

Kerberos is one of the major improvement of previous authentication/authorization technologies. It’s a highly secured web standard which widely used to implement Single-Sign-On (SSO) across different platforms. Its usage of strong cryptography and third-party validation makes it much more difficult for malicious users to compromise the client-server communication.

Please feel free to share your ideas regarding the post if you found the content is useful.

References
https://en.wikipedia.org/wiki/Kerberos_(protocol)
https://www.varonis.com/blog/kerberos-authentication-explained/

Recommended textbook solutions

Information Technology Project Management: Providing Measurable Organizational Value

5th EditionJack T. Marchewka

346 solutions

Information Technology Project Management: Providing Measurable Organizational Value

5th EditionJack T. Marchewka

346 solutions

Service Management: Operations, Strategy, and Information Technology

7th EditionJames Fitzsimmons, Mona Fitzsimmons

103 solutions

Introduction to Algorithms

3rd EditionCharles E. Leiserson, Clifford Stein, Ronald L. Rivest, Thomas H. Cormen

720 solutions

What is Kerberos?

Kerberos is one of the oldest authentication protocols in existence and it has been heavily used by Microsoft for authentication purposes for decades. Developed at MIT in the 1980's, it became an IETF Standard in 1993. Kerberos, so named as a reference to the three-headed dog from ancient Greek mythology, uses a three way authentication mechanism that inserts a trusted third party called the Key Distribution Center (KDC) into the authentication process. This KDC breaks down into two logical services called the Authentication Server (AS) and the Ticket Granting Server (TGS). The fundamental concept is to eliminate the need to send passwords over the network; instead a hash of the user's password is sent and checked on both sides of the connection.

Over the years Kerberos has undergone several revisions with the most current being Version 5, Release 1.18.3 released in November of 2020. Early versions of Kerberos used the now defunct 3DES encryption algorithm which was later replaced by the Advanced Encryption Standard (AES) as discussed in RFC3962. In 2008 shortly after the public release of TLS 1.2 the IETF began exploring the idea of using TLS 1.2 to enhance Kerberos security, since then support has been added though it does not come enabled by default.

How does Kerberos work?

While it is derived from symmetric key algorithms which use the same key for encryption as for decryption, Kerberos is capable of both symmetric and asymmetric cryptography.

Authentication is a complex process, but here is a simplified rundown:

1. Client enters login information.
2. The Kerberos client creates an encryption key and sends a message to the authentication server (AS).
3. The AS uses this key to create a temporary session key and sends a message to the ticket granting service (TGS).
4. TGS grants the client a ticket and server session key.
5. Client uses these to authenticate with the server and get access.

What are common security vulnerabilities with Kerberos?

Attackers have continued to target Kerberos directly as a vector for theft or forgery of authentication material. Tactics such as Kerberos golden ticket attacks, silver ticket attacks, pass-the-ticket, and more have been used as privilege escalation mechanisms by savvy attackers.

In 2017, researches found a vulnerability which had existed in Kerberos for more than twenty years. They were able to get Kerberos to send unencrypted tickets which could be used to bypass authentication, using the fact that Kerberos didn't encrypt the entirety of the tickets, but left some if it in plain text. This particular vulnerability has since been patched, but it still has vulnerabilities with several versions of Windows Server, Vista, and Windows 7, 8, and 8.1.

Is Kerberos a protocol?

Is Kerberos a AAA protocol?

What type of authentication is Kerberos?

Is Kerberos TCP or UDP?