Wednesday 21 December 2016

Kerberos Working


Kerberos Understanding


Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology

  1. Kerberos protocol has 3 key components -
    - Client  [ Users / Applications ]
    - Services
    - Key Distribution Centre (KDC)
  2. Key Distribution Centre (KDC) key components -
    - Ticket Granting Service (TGS)
    - KDC Database
    - Authentication Service

    Note :
     Users/Applications/Services also known as principle             Set of principle is called "realm"
  3. Keys Used in Kerberos Authentication :
    - Secret Keys     :  These keys are shared between KDC and Principle
    - Session Keys   :  These keys are shared between client and services i.e. principles
Overall Workflow - Client needs to access email service
  • Kerberos is single sign on technology
  • In Kerberos, client sends username to KDC
  • KDC in turn search for user in KDC database
  • If user found in KDC database, TGS creates a ticket with limited period of time and sent to client along with session key.
  • Now, if client wants to access email server, then it will create "Authenticator" message containing - Client name, IP Address, Time and encrypt it with session key (S1) provided by KDC
  • Client then sends this TGT + Authenticator encrypted with session key + Service that needs to be access (Mail service) and send it to KDC
  • KDC decrypts message, post confirmation KDC creates a "Service Ticket" and encrypts it with Service key.
  • Service ticket along with new session key (S2) is encrypted with (S1) and send it to client.
  • Client now has service ticket, however it cant be decrypted as it doesn't have service key.
  • Client encrypts authenticator with new session key (S2) and send it to Service (Email Service)
  • Once service receives message, it can decrypt the message with Service key and confirm the identity.
  • Client can have communication with service!


Kerberos Key Components



Kerberos Overall Flow - Client wants to access email service























Below are some of the best links I came across for understanding Kerberos :
Link 1
Link 2
Link 3 ( Blackhat )

Potential weaknesses in Kerberos :

  1. KDC can be single point of failure
  2. Secret keys are stored temporarily on users workstations 
  3. Session keys either reside in cache or in key table 
  4. Kerberos is vulnerable to password guessing - KDC doesn't have any mechanism to detect bruteforce attempts.
  5. Network traffic is not protected if encryption is not enabled
  6. Too short keys - vulnerable to bruteforce
  7. Kerberos needs all client and server clock to be synchronised



Hope this helps! Thanks for visiting!