What is Kerberos authentication, and how does it work?

Kerberos is a protocol designed to authenticate service requests between trusted hosts operating over an untrusted network. It offers a secure method of verifying the identities of users and services in a networked environment. Kerberos support is integrated into leading computer operating systems, including Microsoft Windows, Apple macOS, FreeBSD, and Linux, ensuring widespread adoption and compatibility.

If you need a more secure way to store your user data and protect your system, Kerberos could be just a solution for you. Kerberos works as an automatic gate between users and the internet. Due to its design, it helps ensure that the right users get in but prevents attackers from sneaking past it.

Since it was designed as an authentication and authorization system, that’s what Kerberos does best. It ensures that the users on the network are who they say they are. It also helps with authorization granting access to a service. We’ll look at how Kerberos works in the next part.

At its core, Kerberos uses strong encryption to protect the client authentication process and the subsequent communication as well as uses third-party authorization to confirm user identities.

The key distribution center (KDC), which includes the authentication server (AS) and the ticket granting server (TGS), is the central authentication server in the Kerberos system. The AS verifies the client’s identity by checking the client’s username in its Kerberos database, and the TGS grants a ticket that proves the client’s identity and is used to request service tickets from the TGS.

Here’s how it works:

1. The client at the client network address initiates the authentication process by sending an authentication request to the KDC.
2. The AS checks the client’s username in its database and sends a Ticket Granting Ticket (TGT) and session key encrypted with the client’s private key.
3. The client requests a service ticket from the TGS by including the TGT received from the AS.
4. The TGS verifies the client’s identity using the TGT and generates a service ticket encrypted with a service session key specific to the user and requested service.
5. The client presents the service ticket to the application server, requesting access to the desired service.
6. The application server validates the service ticket, confirms the client’s identity, and grants access to the requested service.

Kerberos is widely used to authenticate users seeking access to network resources, often in large networks of companies such as AWS, Google Cloud, and Microsoft Azure to facilitate SSO. Kerberos is supported by Windows, macOS, Linux, FreeBSD, Microsoft’s Active Directory, and various browsers and database systems.

Despite being created 40+ years ago, Kerberos has still plenty of advantages network administrators can benefit from:

• 

  Strong security. The cryptography Kerberos uses provides strong authentication mechanisms and ensures that only trusted users can access the network.
• 

  Mutual authentication. Mutual authentication means that both the client and the server authenticate each other. Two-way verification helps establish trust between both parties and reduce the risk of man-in-the-middle attacks.
• 

  Access control. It provides an easy way to control who can and cannot enter the network and log their actions inside it.
• 

  Time-sensitive tickets. KDC-issued tickets have an encrypted timestamp, allowing fine-grain access permissions and minimizing the exposure of sensitive credentials.
• 

  SSO. Users don’t need to re-enter their credentials after authenticating once. As a result, they can work efficiently and seamlessly access various resources across the network.

Despite its numerous advantages, Kerberos also has a few flaws:

• 

  Complexity. The Kerberos setup process requires advanced technical knowledge and requires significant time to complete. At the same time, small missing details in the process can create additional system vulnerabilities.
• 

  Centralized authentication. Kerberos works through a centralized server. As such, centralization can lead to a single point of failure and a potential performance bottleneck.
• 

  Token-based authentication. Due to the strict time-limit requirements based on Kerberos’ ticketing system, improper configuration can lead to frequent disconnections, and interruptions.

Kerberos is likely the most popular authentication protocol, but it’s not the only one. Let’s look at the main differences between Kerberos and other network authentication protocols.

Microsoft’s NTLM is considered to be less secure and offers fewer capabilities than Kerberos. However, it is still supported to maintain SSO services in Active Directory domains. While Kerberos relies on a ticketing system, NTLM uses a challenge-response approach to authentication, a protocol where one entity poses a question and the other provides a response to validate their identity.

LDAP is a protocol used for accessing and managing directory services, such as read, write, and modify directory data. It does not handle authentication directly like Kerberos. To be used in authentication, LDAP has to rely on other authentication mechanisms. Kerberos and LDAP can work together with the former handling access, while the latter helping store user accounts and directory information.

The primary function of RADIUS is to provide authentication, authorization, and accounting in remote network access cases, such as dial-up, VPN, and wireless networks. It provides a centralized authentication and access control mechanism for remote users connecting to the network unlike Kerberos, which is used in enterprise environments to establish secure authentication. Also, while Kerberos uses symmetric key cryptography, RADIUS relies on the client-server model.

Due to its popularity, Kerberos vulnerabilities are easier to uncover by both hackers and researchers. That’s why it’s important to keep Kerberos systems up to date. Some of the most common attacks against Kerberos are:

• Kerberoasting. This attack takes advantage of weak and easily guessable passwords.
• Pass-the-ticket. This cyberattack involves hackers intercepting a valid Kerberos ticket and passing it to gain access to the system.
• Credential stuffing. While Kerberos uses ticket-based authentication, it is not immune to certain types of credential stuffing attacks exploiting weak or reused passwords.
• Golden ticket attack. An attacker gains access to the domain controller’s long-term secret key. With this key, they can forge a ticket and gain extensive control and access across the network.
• Silver ticket attack. An attacker obtains a ticket for a specific service by forging a valid server request. That ticket enables hackers to impersonate the targeted service and gain unauthorized access to resources associated with that service.

Kerberos is not outdated. While it was developed in the 1980s, the world’s largest companies such as Microsoft and Apple still trust it with their biggest projects. The main source of trust of these companies likely comes from Kerberos’ strong cryptography.