Kerberos authentication is a network protocol that secures user access to services/applications by using secret-key cryptography across client-server communications.
The Kerberos network authentication protocol helps prevent hackers from intercepting passwords over unsecured networks.
History of Kerberos
The authentication service was developed by the Massachusetts Institute of Technology (MIT) in 1989 to provide network security to MIT’s Project Athena.
The name Kerberos has its origins in Greek mythology, after Cerberus, the three-headed dog who guards the underworld. Kerberos is seen to guard services/applications from unauthorized access; its three “heads” are the Client, Server, and Key Distribution Center (KDC).
Kerberos Key Terms
To understand how Kerberos authentication works in network security, it’s important to be aware of the key terms associated with Kerberos technology.
Kerberos Realm
The domain in which Kerberos can authorize user authentication to specific services or applications. The realm in which a principal belongs is identified by the realm’s domain name system (DNS).
Application Server
Any system in a Kerberos realm that requires client authentication to access its resources.
Principals
The nodes communicating within the Kerberos realm, distinguished by unique identifiers.
There are two types of Principals:
- Service Principal Name (SPN): The unique identifiers used by a particular Service within a particular realm.
- User Principal Name (UPN): The unique identifiers used by a particular User within a particular realm.
Key Distribution Center (KDC)
A trusted third-party that verifies user identities located on a Domain Controller (DC), such as the Active Directory domain.
The KDC includes two servers:
- Authentication Server (AS): Confirms that the access request the user is making is from a known service and issues Ticket Granting Tickets (TGTs).
- Ticket Granting Service (TGS): Confirms that the access request the user is making is from a known service and issues service tickets.
Client
Refers to the user or the service the user wants to access. There are often multiple clients within a realm.
Ticket Granting Ticket (TGT)
Contains the majority of information that needs to pass between the AS and TGS, such as client ID, service ID, hostname, IP address, session keys, timestamps, time-to-live (TTL). TGTs are encrypted using a server’s secret key.
Service Ticket (ST)
Provides Users with access to the requested service.
Authenticator Message
Contains the User ID and a timestamp.
How the Kerberos Authentication Process Works
The Kerberos authentication process consists of eight steps, across three different stages:
Stage 1: Client Authentication
- The user account sends a plaintext message to the Authentication Server (AS), e.g. a request to access a particular service, including the user ID.
- The AS confirms whether or not the request is coming from an authorized user by checking the User ID in the database.
If the User ID belongs to an authorized user, the AS retrieves the user’s password from the database and uses it as a key to decrypt the request.
- The user’s password is shared between the AS and the User.
- The AS verifies the client and then responds with a Ticket Granting Ticket (TGT), which is encrypted with a different secret key.
Stage 2: Client Service Authorization
- The User receives and decrypts the TGT before sending it to the TGS.
- The TGS receives and decrypts the TGT, performs validation, then generates a service ticket.
Stage 3: Client Service Request
- The User receives and decrypts the Service Ticket (ST), creates an Authenticator Message, and sends both tickets to the Service.
- The Service performs decryption and validation on the ST and Authenticator Message, creates a new Authenticator Message, and sends this final message to the User to enable access.
This client authentication process enables mutual authentication between the User and the Service.
Passwords are never shared across the unencrypted network with Kerberos.
Kerberos Uses
Kerberos implementations are used on a number of operating systems and networking systems to verify user accounts.
Examples include:
- Amazon Web Services (AWS)
- Google Cloud
- Microsoft Azure
- Microsoft Windows Server and Active Directory
- Apple macOS
- IBM Advanced Interactive eXecutive
- Oracle Solaris
- Linux
- UNIX
- FreeBSD
- OpenBSD
Kerberos Benefits
Kerberos offers many benefits to users, such as:
- Single Sign-On (SSO): The Kerberos service enables SSO, an authentication method that allows users to access all authorized services via one login.
- Cybersecurity: Kerberos’ use of strong encryption, cryptography, and trusted third-party authorization helps strengthen data security to avoid cyber attacks.
- Mutual Authentication: The Kerberos protocol allows both the User and the Service to authenticate one another, ensuring each party is genuine.
- Access Control: Kerberos facilitates access control by performing authentication to help ensure security policies are met before granting access permissions.
What Other Network Authentication Protocols Exist?
Microsoft New Technology LAN Manager (NTLM)
NTLM is a now-obsolete suite of security protocols, released by Microsoft to provide user accounts with authentication, integrity, and confidentiality. The simplicity of NTLM passwords makes it an easy brute-force attack target. Organizations should avoid using it or disable it immediately if in use.
Lightweight Directory Access Protocol (LDAP)
LDAP is an application protocol that enables applications to access and authenticate specific user information across directory services, such as Active Directory and OpenLDAP.
The protocol is commonly used to authorize user account access to services on a network. As LDAP is used for authorization and Kerberos is used for authentication, the two are commonly used in tandem.
Security Assertion Markup Language (SAML)
SAML is an open standard that enables users to access numerous web applications or web services using the same login credentials through identity federation.
SAML relies upon two parties - an identity provider (IDP) and a service provider (SP).
The IDP provides authentication information about the user to the SP. The SP uses this information to provide authorization to the user.
The pairing of authentication with authorization allows the user to access the SP's services.
OAuth
OAuth is an open standard that allows users to directly authorize the sharing of their credentials across services and the level of access they grant to the service.
The protocol works well on mobile devices, allowing users to individually select which permissions they allow a service.
RADIUS
RADIUS is an authentication, authorization, and accounting (AAA) protocol used for managing user access to networking services.
RADIUS can be used with Kerberos to provide additional authentication.
Is Kerberos Secure?
For several decades, the Kerberos computer network security protocol has been widely adopted and regarded as a secure authentication mechanism.
For example, Kerberos has been the default authentication method of Microsoft Windows since the release of Windows 2000.
The Kerberos authentication service effectively protects sensitive data in transit through its use of secret-key encryption, cryptography, and trusted third-party authentication.
Its latest version, Kerberos 5, uses Advanced Encryption Standard (AES) encryption to secure communications and help prevent data breaches.
AES encryption is so effective that the U.S. Government uses it to protect its classified information.
However, Kerberos is not without its flaws. Organizations must continuously monitor their attack surface to ensure their Kerberos implementations are not at risk of being compromised by hackers.
Despite its reputation as a powerful authentication method, the Kerberos protocol’s widespread implementation and longstanding presence make it a common attack vector for cybercriminals.
How to Mitigate Kerberos Cyber Risks
Below are some ways organizations can mitigate the cyber risks that arise from Kerberos implementations.
Use Secure Encryption
Certain encryption suites, like RC4-HMAC, are insecure and should be disabled immediately to avoid network eavesdropping. Organizations should opt for AES support, which is considered the gold standard for data security.
Remediate Software Vulnerabilities
Cybercriminals swiftly exploit software weaknesses, like zero-day vulnerabilities, to inject malware, cause data breaches, and perform other cyber attacks.
Organizations can inform themselves about existing Kerberos vulnerabilities through the Common Vulnerabilities and Exposures (CVE) list, available here.
Security teams can also invest in an attack surface management platform to automatically identify vulnerabilities in real-time and remediate them before sensitive data is compromised.
Strengthen Passwords
Insecure passwords, such as birthdates, first names, etc., are one of the top causes of data breaches. MIT offers password advice for Kerberos users, including character length, type, and case requirements, available here.
Adopt the Principle of Least Privilege
Data breaches and other serious security incidents don’t just occur at the hands of external cybercriminals. Insider threats (a type of cyber threat) are becoming increasingly common, meaning organizations must also look inward when developing an information security policy.
To minimize the risk of insider threats, organizations should adopt the principle of least privilege. This concept is an effective internal security mechanism that limits access rights for users, accounts, and computing processes to only those necessary to perform the job. It also provides administrators with clearer visibility over who is accessing what.