Kerberos is a network authentication protocol which utilizes symmetric cryptography to provide authentication for client-server applications.
Kerberos Standard Definition
Kerberos is defined in RFC 1510 – The Kerberos Network Authentication Service (V5).
The core of Kerberos architecture is the KDC (Key Distribution Server). The KDC stores authentication information and uses it to securely authenticate users and services.
This authentication is called secure because it:
- Does not appear as plaintext
- Does not rely on authentication by the host operating system
- Does not base trust on IP addresses
- Does not require physical security of the network hosts
The KDC acts as a trusted third party in performing these authentication services.
Due to the critical function of the KDC, multiple KDCs are normally utilized. Each KDC stores a database of users, servers, and secret keys.
Kerberos client applications are normal network applications modified to use Kerberos for authentication. In Kerberos slang, they have been Kerberized.
How Kerberos Works
One of the problems that comes with using a network that requires authentication from the user–a username and password–is the fact that the password is sent over the network as plain text. So, the user types in the username and password, which might appear as asterisks, and then they hit enter to submit it. The password and username travel over the network as plain text.
For someone looking to gain access to this information, it would not be too difficult to catch the password and username while en route through the network and use it to access the system. Kerberos allows for the password and username to be used without having to send them over the network. In other words, the network can be accessed, but the password and username don’t have to travel through it.
In a kerberized network, the kerberos database contains principles and their keys. All of the services are also stored on the kerberos database with their keys.
When a user wants to log in to the network, the principle is sent to the key distribution center (KDC). This is sent as a request for the ticket granting ticket (TGT). The request can be sent by a login program or by a kinit program.
If the KDC finds the principle in the database, it creates a TGT, encrypts it using the TGT, encrypts it using the user’s individual key and then sends it back to the user.
Once it [TGT] is received by the user, the login program decrypts the encrypted key. This TGT is stored in the credentials cache and expires after a certain amount of time. The time varies, but is typically around eight hours. This brings more security because when the TGT expires, access to the network expires as well (because a new TGT is needed).
The Kerberos Protocol
Kerberos defines ten messages that make up the Kerberos protocol:
KRB_AS_REQ Kerberos Authentication Service Request KRBAS_REP Kerberos Authentication Service Reply KRB_AP_REQ Kerberos Application Request KRB_AP_REP Kerberos Application Reply KRB_TGS_REQ Kerberos Ticket Granting Service Request KRB_TGS_REP Kerberos Ticket Granting Service Reply KRB_SAFE Kerberos Safe (Checksummed) Application Message KRB_PRIV Kerberos Private (Encrypted) Application Message KRB_CRED Kerberos Credentiials KRB_ERROR Kerberos Erro
Several other commercial and non-commercial Kerberos implementations are also available.
Microsoft added a slight modified version of Kerberos v5 authentication in Windows 2000.
Since KDCs store secret keys for every user and server on the network, they must be kept completely secure. If an attacker got administrative access to the KDC, he would have access to the resources of the Kerberos realm.
Kerberos tickets are cached on the client systems. If an attacker gains administrative access to a Kerberos client system, he can impersonate the authenticated users of that system.
Additional Reading on Kerberos
RFC 1510 is an excellent source for understanding the Kerberos protocol.
The Kerberos FAQ provides more information.