Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology
- Kerberos protocol has 3 key components -
- Client [ Users / Applications ]
- Key Distribution Centre (KDC)
- Key Distribution Centre (KDC) key components -
- Ticket Granting Service (TGS)
- KDC Database
- Authentication Service
Note : Users/Applications/Services also known as principle Set of principle is called "realm"
- Keys Used in Kerberos Authentication :
- Secret Keys : These keys are shared between KDC and Principle
- Session Keys : These keys are shared between client and services i.e. principles
Overall Workflow - Client needs to access email service
- Kerberos is single sign on technology
- In Kerberos, client sends username to KDC
- KDC in turn search for user in KDC database
- If user found in KDC database, TGS creates a ticket with limited period of time and sent to client along with session key.
- Now, if client wants to access email server, then it will create "Authenticator" message containing - Client name, IP Address, Time and encrypt it with session key (S1) provided by KDC
- Client then sends this TGT + Authenticator encrypted with session key + Service that needs to be access (Mail service) and send it to KDC
- KDC decrypts message, post confirmation KDC creates a "Service Ticket" and encrypts it with Service key.
- Service ticket along with new session key (S2) is encrypted with (S1) and send it to client.
- Client now has service ticket, however it cant be decrypted as it doesn't have service key.
- Client encrypts authenticator with new session key (S2) and send it to Service (Email Service)
- Once service receives message, it can decrypt the message with Service key and confirm the identity.
- Client can have communication with service!
|Kerberos Key Components|
|Kerberos Overall Flow - Client wants to access email service|
Below are some of the best links I came across for understanding Kerberos :
Link 3 ( Blackhat )
Potential weaknesses in Kerberos :
- KDC can be single point of failure
- Secret keys are stored temporarily on users workstations
- Session keys either reside in cache or in key table
- Kerberos is vulnerable to password guessing - KDC doesn't have any mechanism to detect bruteforce attempts.
- Network traffic is not protected if encryption is not enabled
- Too short keys - vulnerable to bruteforce
- Kerberos needs all client and server clock to be synchronised
Hope this helps! Thanks for visiting!