Kerberos is a network authentication protocol that was created for providing secure authentication for client/server applications using secret-key cryptography. and in this post, we’re going to review how Kerberos works.
Internet is not a secure place.
Many of the protocols used on the internet does not provide any security. many of the protocols use clear text passwords which are vulnerable to sniffing. and many of the applications rely on client applications being “honest” about who they are.
Kerberos protocol was created as a solution for that problem.
Tickets as keys to access.
Kerberos was originally named after Cerberus – the three-headed dog, in Greek mythology, that guards the gates of Hades – because of the three distinct actors in the protocol:
- Client/User – An entity seeking to provide its identity.
- Application Server – The service that the client (user) wants to access.
- Key Distribution Center (KDC) – The trusted third-party that issues tickets.
In Active Directory Each Domain Controller (DC) Acts as KDC
KDC provides two types of services
- Authentication Service (AS) – Which authenticates clients and issues them tickets
- Token Granting Service (TGS) – This accepts unauthenticated clients and issues them tickets to access resources.
Kerberos Authentication Flow.
- The user requests a ticket from the Key Distribution Center and encrypts the request with its password, if KDC was able to decrypt the request with the user’s password, then KDC knows that the User sent the correct password.
- AS Generates Ticket-Granting-Ticket (TGT) and sends it back to the user.
- User Tries to access a specific resource, to prove its identity TGT is being sent to Ticket-Granting-Service (TGS).
- TGS Decrypts TGT with a secret key which is shared between AS and TGS. if decryption was successful, TGS issues a service ticket for the client and the ticket is being encrypted with another secret key which Is shared between TGS and Resource service which the user wants to access.
- The user sends this ticket to a specific resource, this ticket is decrypted with a secret key which was shared in the previous step, if decryption was successful, access is being granted.
Benefits of Kerberos.
- The plaintext password is never being sent over the network. That’s the biggest benefit of Using Kerberos.
- Single Sign in. Kerberos allows users to enter credentials only once and then continue renewing and getting tickets without asking for entering credentials.
- Both ends of the communication chain must be authenticated.
that was a review of Kerberos authentication flow, which was initially developed by MIT in the 1980s and was later refined by Microsoft for inclusion in Windows 2000 to replace NTLM – and the protocol remains Open Source.