Kerberos Authentication

Traditionally, when users access computer systems, they do so by entering a password. The challenge with this authentication method is that if hackers obtain the password, they can take on the user's identity and gain access to an organization's network. Organizations need a better way to protect their systems and users. This is where Kerberos comes in. 

A Kerberos is a system or router that provides a gateway between users and the internet. Therefore, it helps prevent cyber attackers from entering a private network. It is a server, referred to as an “intermediary” because it goes between end-users and the web pages they visit online.

In mythology, Kerberos (also known as Cerberus) is a large, three-headed dog that guards the gates to the underworld to keep souls from escaping. In our world, Kerberos is the computer network authentication protocol initially developed in the 1980s by Massachusetts Institute of Technology (MIT) computer scientists. The idea behind Kerberos is to authenticate users while preventing passwords from being sent over the internet. 

Kerberos emerged at the same time as Domain Name System (DNS)—1983—so it has been around for a while. Originally, it was designed for MIT's educational project called Project Athena, but today, it supports a large breadth of function, including single sign-on (SSO) implementations, and serves as the go-to authentication protocol for websites. Many popular operating systems, including Windows, have Kerberos built in. Kerberos is a widely used service that, like DNS, most users are not even aware they are using. 

Kerberos is a credible security solution for four main reasons: 

Kerberos has been in use for a while, which in terms of security, says a lot about its effectiveness.

Kerberos meets the requirements of modern distributed systems. It enables secure authentication within open environments with insecure communication links.

The sound, well-designed architectural foundations of Kerberos allow it to evolve and integrate with other systems. 

Kerberos is already integrated into popular operating systems and software applications and has become a critical component of IT infrastructure. It is the default authorization technology in Microsoft Windows. It uses third-party ticket authorization and strong cryptography to make it harder for hackers to gain access to a corporate network. With Kerberos, organizations can access the internet without having to worry about compromising their safety. 

The Kerberos protocol flow involves three secret keys: client/user hash, TGS secret key, and SS secret key. The basic protocol flow steps are as follows:

1. Initial Client Authentication Request - The protocol flow starts with the client logging in to the domain. In this step, the user asks for the TGT or authentication token from the AS. The TGT request is sent to the Kerberos KDC. 
2.  Verification of Client Credentials - The KDC must verify the user's credentials to send an encrypted session key and TGT. The AS checks for the TGS's and client's availability in the database. If both values are found, the AS generates the secret key. It also creates a session key (SK1) that is encrypted by the user's secret key and a TGT with the client network address, identification (ID), timestamp, lifetime, and SK1. Then, the TGS secret key encrypts the ticket. 
3. Message Decryption - The client uses the client/user hash or secret key to extract the TGT and SK1 and decrypt the message, then generates the authenticator that validates the TGS. 
4. Request for Access Using the TGT - The client then requests a ticket from the SS by sending the authenticator and the extracted TGT to the TGS.
5. Creation of Ticket for the File Server - The TGS secret key is used to decrypt the TGT from the client and extract the SK1. TGS also decrypts the authenticator and verifies that it matches the network address and the client ID, and ensures that the TGT is not expired by using an extracted timestamp. If all checks are done successfully, the KDC will generate a shared service session key (SK2) for the target server and the client. The KDC then creates a service ticket with the client network address, ID, timestamp, and SK2. This ticket will be encrypted with the server's secret key, and the client will receive the service ticket and SK2, which will be encrypted with the SK1.
6. Authentication Using the File Ticket - The client then uses the file ticket to authenticate by decrypting the message with SK1 and extracting SK2. Doing so will generate another authenticator, encrypted with SK2, that includes the client ID, network address, and timestamp. The client then sends a service ticket along with the new authenticator to the target server.
7. Decryption and Authentication of the Target Server - As the final step in the Kerberos protocol, the target server then decrypts the service ticket and extracts the SK2 using the server's secret key. SK2 decrypts the authenticator, and checks are performed to ensure that the client network address and ID from the service ticket and the authenticator match. After all checks are made and met, the client will receive a message from the server stating that the server and the client have authenticated each other. 

Kerberos may have been around for decades, but that does not mean it is obsolete. In fact, it is still a proven and effective security access protocol even though cyberattackers have been able to crack it. One of the major advantages of Kerberos is that it uses strong encryption to protect authentication tickets and passwords. 

The bottom line is that Kerberos is here to stay, and there are no replacements in the immediate future. The majority of today's security advancements are meant to protect passwords or provide a different method for validating an identity. Kerberos remains the back-end technology in these solutions. It is still an effective and usable solution in the connected workplace because of SSO, which lets users prove their identity just once to access multiple applications. 

Cyber crime is an unfortunate byproduct of interconnectivity in a digital-first world. No business is exempt from the risk of attacks, but deploying effective cybersecurity strategies will help mitigate the risk. Kerberos is one of the best security access protocols available for reducing cyberattack incidence rates and in helping an organization protect its assets.

The Fortinet FortiWeb solution can be configured to use the Kerberos protocol for authentication delegation. FortiWeb uses Kerberos to provide previously authenticated clients with access to web applications. The product supports two types of Kerberos authentication: 

FortiWeb verifies the user's secure sockets layer (SSL) certificate using the certificate authority (CA) specified in a server pool member configuration or server policy. FortiWeb will then obtain the Kerberos service ticket to allow the client access to the specified web application.

Users enter a username and password in a Hypertext Markup Language (HTML) authentication form. FortiWeb then gets a Kerberos service ticket for the client to allow access to the specified web application.