If you have done any IT work in a Windows domain environment, you may know that it uses Kerberos authentication as its authentication system.
It does this for several reasons:
Faster authentication, Better manageability, and other reasons.
But how does Kerberos authentication work?
Basically, Kerberos is a network authentication protocol that works by using secret key cryptography. Clients authenticate with a Key Distribution Center and get temporary keys to access locations on the network. This allows for strong and secure authentication without transmitting passwords.
Let’s see how all of this works.
You’ve probably heard of the security principle of least privilege, right?
It’s kind of a fundamental principle of security
There are numerous ways of achieving it – mandatory access control, discretionary access control, etc.
The methods aren’t what’s important here.
What’s important is the fact that in corporate networks, access needs to be restricted.
That’s one of the reasons that the Kerberos protocol has been so widely adopted in enterprise environments.
The Kerberos ticket exchange is built around two main principles:
First, strong mutual authentication and second, restricted access.
Let’s look at the authentication steps:
Kerberos Authentication Steps
A client needs to access a network file server to read a file.
Although this client on the network is a computer, don’t forget that there is a person sitting behind that computer.
That person may move between computers and they still need to be able to access the organization’s files.
So, we are authenticating a user, not necessarily a computer.
Back to our example.
Step 1: Client Authentication Request
The client sends an authenticator that includes the date and time to the Kerberos Key Distribution Center.
Part of the message is plain text and the other part is encrypted.
The encrypted part of the authenticator is encrypted with the client’s password.
Note how the password is not transmitted.
This is because the developers of the network authentication system wanted it to be strong enough to operate in a hostile environment.
One where attackers are present and sniffing communications.
Step 2: KDC checks the client’s credentials
The Key Distribution Center – the kerberos server – also the domain controller in Active Directory validates that the user is who they claim to be.
It does this by decrypting the authenticator message that the client sent.
Since the KDC has all users’ passwords stored securely in its database, it attempts to decrypt the authentication message from the client.
If it can, it assumes that the user is who they claim to be as only they should know their password.
Once the client is authenticated, the authenticator is discarded.
It’s no longer needed.
Step 3: The KDC creates a ticket
At this point in the process, the key distribution center creates a ticket that it can give to the client.
This Ticket Granting Ticket (TGT) is what the client uses henceforth to make access requests.
The KDC encrypts the TGT with a password that only the server knows.
Because no one else needs to be able to see the contents.
It’s for the server to keep track of the client.
So, the KDC sends the TGT to the client.
The TGT will be stored in the Kerberos tray in RAM so that it is volatile.
Should the system crash or go down, the TGT is not stored anywhere.
TGTs expire after a set period – usually eight hours.
Step 4: Client uses TGT to request access
When the client needs to access the file server in our example, it checks the Kerberos tray and since it doesn’t have one, it makes a request.
The client sends a copy of the TGT to the key distribution centers and requests access to the file server.
When the KDC receives the new request, it knows the user is already authenticated so it doesn’t need to do that again.
It just checks if it can decrypt the TGT using the password that it remembers encrypting the TGT with.
If it can, it must be the same one that the KDC sent earlier.
Step 5: The KDC creates a ticket for the file server
Now, the KDC will create a ticket that the client can use to access the file server.
And since the KDC knows the file server’s password, it encrypts the ticket with that credential.
Access instructions for the client are included in the ticket.
That way the file server knows what the client can access.
Note that the client never sees the contents of these tickets.
It just stores and uses them as necessary.
That’s one of the reasons that Kerberos authentication works so well.
The new ticket for the file server is then given back to the client to store in the Kerberos tray.
For the next eight hours, or while the file server ticket is valid, whenever the client needs to access a file, it sends the file server its ticket.
Step 6: The client uses the file ticket to authenticate
From this point forward, when the client needs to access a file on the file server, it sends a copy of the ticket.
The file server can decrypt it, verify the user, and grant them the appropriate access.
Remember, inside that ticket are all of the instructions for the client’s groups and access.
Benefits of Kerberos Authentication
The Kerberos authentication system has been in use for over three decades now.
Consequently, it has gone through a lot of revisions and scrutiny.
There are several key benefits to using kerberos as the authentication solution.
Ease and Quality
Kerberos has been adopted by a lot of the technology giants – Apple, Microsoft, Sun.
Because of this, each of these tech leaders have created their own extensions of the system.
They’ve also tested the security component.
Therefore, Kerberos is both very easy to implement and secure.
One thing that large enterprises can’t ignore with technology is scalability.
The solutions that work for a small organization may not necessarily work for a very large one.
Fortunately, Kerberos scales very easily.
Policy Enforcement and Auditability
This is another of the real benefits of Kerberos.
Because of the way that the clients constantly request access, it is very easy to know who accessed what and at what time.
These logs can be crucial for audits and investigations.
Although Kerberos has been around for over three decades, it is still a very strong network authentication system.
It is probably not going away in the near future.
Because the KDC transmits tickets, passwords are not sent and snooping attackers don’t have the opportunity to get them.
The essence of Kerberos’ system is mutual authentication.