Skip to content Skip to navigation Skip to footer

Kerberos Authentication

Traditionally, when users access computer systems, they do so by entering a password. The challenge with this authentication method is that if hackers obtain the password, they can take on the user's identity and gain access to an organization's network. Organizations need a better way to protect their systems and users. This is where Kerberos comes in. 

Kerberos technology provides authentication of service requests between two or more hosts in open, distributed networks. It uses a trusted third party and cryptography to verify user identities and authenticate client-server applications.

What Is Kerberos?

In mythology, Kerberos (also known as Cerberus) is a large, three-headed dog that guards the gates to the underworld to keep souls from escaping. In our world, Kerberos is the computer network authentication protocol initially developed in the 1980s by Massachusetts Institute of Technology (MIT) computer scientists. The idea behind Kerberos is to authenticate users while preventing passwords from being sent over the internet. 

Kerberos emerged at the same time as Domain Name System (DNS)—1983—so it has been around for a while. Originally, it was designed for MIT's educational project called Project Athena, but today, it supports a large breadth of function, including single sign-on (SSO) implementations, and serves as the go-to authentication protocol for websites. Many popular operating systems, including Windows, have Kerberos built in. Kerberos is a widely used service that, like DNS, most users are not even aware they are using. 

Kerberos is a credible security solution for four main reasons: 

It Is Mature

Kerberos has been in use for a while, which in terms of security, says a lot about its effectiveness.

It Meets Modern Distributed System Requirements

Kerberos meets the requirements of modern distributed systems. It enables secure authentication within open environments with insecure communication links.

It Is Architecturally Sound

The sound, well-designed architectural foundations of Kerberos allow it to evolve and integrate with other systems. 

It Is Integrated Into Popular Operating Systems

Kerberos is already integrated into popular operating systems and software applications and has become a critical component of IT infrastructure. It is the default authorization technology in Microsoft Windows. It uses third-party ticket authorization and strong cryptography to make it harder for hackers to gain access to a corporate network. With Kerberos, organizations can access the internet without having to worry about compromising their safety. 

How Does Kerberos Authentication Work?

Kerberos provides a credible security solution for businesses of all sizes. But how does Kerberos authentication work, exactly? 

Kerberos uses symmetric key cryptography and a key distribution center (KDC) to authenticate and verify user identities. A KDC involves three aspects:

  1. A ticket-granting server (TGS) that connects the user with the service server (SS)
  2. A Kerberos database that stores the password and identification of all verified users 
  3. An authentication server (AS) that performs the initial authentication 

During authentication, Kerberos stores the specific ticket for each session on the end-user's device. Instead of a password, a Kerberos-aware service looks for this ticket. Kerberos authentication takes place in a Kerberos realm, an environment in which a KDC is authorized to authenticate a service, host, or user. 

Kerberos authentication is a multistep process that consists of the following components: 

  1. The client who initiates the need for a service request on the user's behalf 
  2. The server, which hosts the service that the user needs access to
  3. The AS, which performs client authentication. If authentication is successful, the client is issued a ticket-granting ticket (TGT) or user authentication token, which is proof that the client has been authenticated. 
  4. The KDC and its three components: the AS, the TGS, and the Kerberos database
  5. The TGS application that issues service tickets 

Benefits of Kerberos Authentication

There are some key advantages to using Kerberos as an authentication service.

Access Control

The Kerberos authentication protocol enables effective access control. Users benefit from a single point for keeping track of all logins and the enforcement of security policies. 

Mutual Authentication

Kerberos authentication allows service systems and users to authenticate each other. During all steps of the process, the user and the server will know that the counterparts that they are interacting with are authentic.

Limited Ticket Lifetime

Each ticket in Kerberos has timestamps and lifetime data, and the duration of authentication is controlled by admins. 

Reusable Authentication

Kerberos authentication is durable and reusable. Each user will only have to be verified by the system once. Then throughout the lifetime of the ticket, the user can authenticate without the need to reenter personal information. 

安全性

Multiple secret keys, third-party authorization, and cryptography make Kerberos a secure verification protocol. Passwords are not sent over the networks, and secret keys are encrypted, making it difficult for attackers to impersonate users or services. 

What Are the Weaknesses of Kerberos?

Kerberos is an effective method for managing security threats. However, there are some challenges. Some of the more prevalent weaknesses include:

Single Point of Failure

Multiple secret keys, third-party authorization, and cryptography make Kerberos a secure verification protocol. Passwords are not sent over the networks, and secret keys are encrypted, making it difficult for attackers to impersonate users or services. 

Each Network Service Needs a Set of Kerberos Keys

Network services that require different hostnames will need their own set of Kerberos keys, which can present challenges with cluster and virtual hosting. 

Strict Time Requirements

The date and time configurations of the hosts need to be synchronized with predefined limits. Otherwise, authentication will fail due to tickets having limited availability. 

An Overview of the Kerberos Protocol Flow

The Kerberos protocol flow involves three secret keys: client/user hash, TGS secret key, and SS secret key. The basic protocol flow steps are as follows:

  1. Initial Client Authentication Request - The protocol flow starts with the client logging in to the domain. In this step, the user asks for the TGT or authentication token from the AS. The TGT request is sent to the Kerberos KDC. 
  2.  Verification of Client Credentials - The KDC must verify the user's credentials to send an encrypted session key and TGT. The AS checks for the TGS's and client's availability in the database. If both values are found, the AS generates the secret key. It also creates a session key (SK1) that is encrypted by the user's secret key and a TGT with the client network address, identification (ID), timestamp, lifetime, and SK1. Then, the TGS secret key encrypts the ticket. 
  3. Message Decryption - The client uses the client/user hash or secret key to extract the TGT and SK1 and decrypt the message, then generates the authenticator that validates the TGS. 
  4. Request for Access Using the TGT - The client then requests a ticket from the SS by sending the authenticator and the extracted TGT to the TGS.
  5. Creation of Ticket for the File Server - The TGS secret key is used to decrypt the TGT from the client and extract the SK1. TGS also decrypts the authenticator and verifies that it matches the network address and the client ID, and ensures that the TGT is not expired by using an extracted timestamp. If all checks are done successfully, the KDC will generate a shared service session key (SK2) for the target server and the client. The KDC then creates a service ticket with the client network address, ID, timestamp, and SK2. This ticket will be encrypted with the server's secret key, and the client will receive the service ticket and SK2, which will be encrypted with the SK1.
  6. Authentication Using the File Ticket - The client then uses the file ticket to authenticate by decrypting the message with SK1 and extracting SK2. Doing so will generate another authenticator, encrypted with SK2, that includes the client ID, network address, and timestamp. The client then sends a service ticket along with the new authenticator to the target server.
  7. Decryption and Authentication of the Target Server - As the final step in the Kerberos protocol, the target server then decrypts the service ticket and extracts the SK2 using the server's secret key. SK2 decrypts the authenticator, and checks are performed to ensure that the client network address and ID from the service ticket and the authenticator match. After all checks are made and met, the client will receive a message from the server stating that the server and the client have authenticated each other. 

Can Kerberos Be Hacked?

Kerberos, like any other security model, is not 100% invulnerable. Because Kerberos is a widely used authentication protocol, hackers have found ways to get around it. The majority of these hacks include forged tickets, encryption downgrading malware, and guessing passwords. Sometimes, hackers will use each of these methods to breach the system. 

These are the most common methods used to hack Kerberos.

Pass the Ticket

With this method, an attacker forges the session key and uses fake credentials. Hackers will forge a golden or silver ticket to gain either domain access or access to a service. 

Credential Stuffing or Brute Force

This is an automated and continued attempt at guessing a user's password. The majority of these attacks will target the ticket-granting and initial ticketing service.

Encryption Downgrade

An encryption downgrade is performed with skeleton key malware, a type of malware that bypasses Kerberos if the cyberattacker has admin access.

DC Shadow Attack

This attack takes place when hackers get the access needed to set up their own domain controller (DC) to be used for further infiltration. 

Is Kerberos Obsolete?

Kerberos may have been around for decades, but that does not mean it is obsolete. In fact, it is still a proven and effective security access protocol even though cyberattackers have been able to crack it. One of the major advantages of Kerberos is that it uses strong encryption to protect authentication tickets and passwords. 

The bottom line is that Kerberos is here to stay, and there are no replacements in the immediate future. The majority of today's security advancements are meant to protect passwords or provide a different method for validating an identity. Kerberos remains the back-end technology in these solutions. It is still an effective and usable solution in the connected workplace because of SSO, which lets users prove their identity just once to access multiple applications. 

How Fortinet Can Help

Cyber crime is an unfortunate byproduct of interconnectivity in a digital-first world. No business is exempt from the risk of attacks, but deploying effective cybersecurity strategies will help mitigate the risk. Kerberos is one of the best security access protocols available for reducing cyberattack incidence rates and in helping an organization protect its assets.

The Fortinet FortiWeb solution can be configured to use the Kerberos protocol for authentication delegation. FortiWeb uses Kerberos to provide previously authenticated clients with access to web applications. The product supports two types of Kerberos authentication: 

Kerberos Constrained Delegation

FortiWeb verifies the user's secure sockets layer (SSL) certificate using the certificate authority (CA) specified in a server pool member configuration or server policy. FortiWeb will then obtain the Kerberos service ticket to allow the client access to the specified web application.

Regular Kerberos Delegation

Users enter a username and password in a Hypertext Markup Language (HTML) authentication form. FortiWeb then gets a Kerberos service ticket for the client to allow access to the specified web application.


Quiz