Part 1 - Basics, meaning and purpose
The Kerberos protocol is a network authentication and authorization protocol developed by MIT, the Massachusetts Institute of Technology. It was developed in the 1980s as a more secure alternative to traditional authentication by user/password input to machines and services on insecure networks.
Kerberos is now mainly associated with its derived Windows implementation but is also supported by numerous Unix and Unix-like devices, including FreeBSD, macOS, Red Hat Enterprise Linux, or HP’s HP-UX. Kerberos is also increasingly being used in embedded systems (e.g. Cisco IOS or IoT devices). There are 5 major implementations in total:
- MIT Kerberos
- Heimdall
- GNU Shishi
- Microsoft’s AD Keberos
- Sun’s Java
The first three implementations mentioned are under free licenses.
Kerberos - meaning and purpose
Authentication by means of a password has two problems in particular. The first is that anyone who knows your password can effectively impersonate you, i.e., steal your identity, and thus cause damage to you and the organization, such as:
- by stealing information
- spreading malware (such as the Emotet ransomware and keyloggers)
- infecting other devices for the purpose of phishing
- of sending SPA
- carrying out DDoS attacks
To protect yourself against such attacks, it is recommended not only to use the Kerberos protocol but also to perform pentests , to detect existing vulnerabilities in your system.
The second problem is related to the human factor and its tendency to use increasingly uniform passwords as the number of password authentications increases (without the help of a password manager). So, if someone else gets one of these passwords, for example through a Man in the middle attack, there is potentially the possibility of being able to authenticate successfully in several places using this password or a variation of it (keyword password spraying).
In order to make the authentication in the network more secure, it must be ensured that the password or the passwords are not constantly transmitted in the network and could therefore simply be recorded. At the same time, it must be ensured that a user can authenticate himself on every service and every machine to which he is authorized.
Kerberos Basics
Kerberos solves the problem of insecure password transmission by introducing a third authoritative instance within the network called KDC which issues encrypted tickets. KDC stands for Key Distribution Center and effectively consists of two services that are operated on one or more servers. These include the Authentication Server (AS) and the Service Server (SS), also known as the Ticket Granting Server. The Authentication Server (AS) is responsible for checking whether it is a legitimate user of the network. The service server (SS) in turn issues the tickets for permission to use the requested service.
In simplified terms, the (initial) communication in an environment with Kerberos runs as follows:
In a scenario with a user (A), a file server (B), and the KDC with Authentication Server (KAS) and Service Server (KSS), (A) wants to access the shared files from (B).
To do this, (A) first reports to the (KAS) with his ID, encrypted by his password. It is important to note that it is not the password that is transmitted over the network, but only the encrypted key. The (KAS) in turn decrypts the key with the stored password.
After (KAS) has successfully verified (A), (KAS) sends back a ticket, the so-called Ticket Granting Ticket (TGT), which is itself encrypted with another key.
This TGT now sends (A) together with its request for the use of the file share from (B) to the (KSS), who decrypts the TGT with the shared secret with (KAS).
After this, (KSS) sends back an encrypted token to (A), which (A) now sends to (B), which decrypts the token with the shared secret between it and the (KSS) and thus now allows (A) to access the file share for the time estimated in the token.
By this process, Kerberos ensures on the one hand that the password is not transmitted and on the other hand that the user, as long as the TGT has not expired and he does not change the workstation, do not have to log in again on devices and services that support Kerberos. In short: Kerberos enables the use of Single Sign-On (SSO) since no further communication with the Authentication Server is required via the valid TGT in order to be able to generate further tokens at the Service Server (SS).