Kerberos Authentication

Overview

Kerberos is a secure communication protocol that provides strong authentication within a client/server architecture. It uses ticketing concepts to enable systems communicating over an unsecured network to prove their identity to one another securely. Moreover, it provides protection for logon credentials of principals of a system. Entities authenticate to network systems using different credentials such as username and password combination, smartcard, token and biometrics. Once entities authenticate themselves using Kerberos, they will be able to access multiple applications similar to single sign-on (SSO) principle. Furthermore, SSO reduces identification and authentication overheads by enabling users to gain access to multiple systems using a single account. Kerberos uses symmetric encryption algorithm to prove users authenticity. Moreover, it will protect data and messages against eavesdropping and replay attacks. Besides, users should securely maintain their secret keys to prove their identities to an authentication server.

Components of Kerberos

In a Kerberos environment, users gain access to applications and systems deployed somewhere in the network through an authentication server. Moreover, as mentioned earlier it employs secure ticketing systems to authenticate and grant users access to these network resources.

Users / Principals

These are the entities that will make use of Kerberos protocol for identification and authentication purposes. The user encrypts its username and corresponding credentials and sends it to the KDC mainly to the authentication server (AS). Besides, this takes place in the form of hashed secret key for secure storage and validation reasons. The user will request a Ticket Granting Ticket (TGT) from the authentication service (AS) through this registered and stored identity. More specifically, the user requests authentication by sending a message encrypted using the user’s secret key. This is because of the symmetric encryption the Kerberos uses.  If the authentication process is successful, the AS will issue a TGT to the requesting user.

Authentication Server (AS)

The authentication service (AS) is responsible to perform user authentication through an exchange of encrypted piece of data. If the user is able to decrypt the data using a shared secret key, the server will automatically authenticate the user. The authentication server is the first line of defense and authorizes users to request tickets. In other words, users will not be able to request tickets directly from the Ticket Granting Service (TGS). Moreover, when users inquire registration, the AS will authenticate each user before permanently storing their record in the KDC. Furthermore, the AS checks and issues TGT to users requesting resources based on this information.

Ticket Granting Service (TGS)

The Ticket Granting Service (TGS) securely issues tickets to authenticated users. Moreover, the tickets are time stamped and expire after a few hours perhaps after eight hours. In addition, it holds credentials for principals (Users), applications, and services. Moreover, it stores the secret and session keys for secure transactions. The user sends the TGT and requests a ticket for service from the TGS. The TGS in turn verifies and sends Ticket for Service back to the user.

Key Distribution Center (KDC)

The KDC is the heart of Kerberos established to perform registration for new entities. Moreover, KDC is the server that holds and maintains all users and services credentials and keys. Besides, it provides secure authentication to entities referred to as principals (users, applications or services). In addition, it provides security services for a set of principals in their defined domains.

Application Server / Network Services

The authentication server performs certificate-based authentication but does not provide credential tickets. However, the server may hold user credentials or work with Active Directory (AD) and LDAP databases. Ticket is shown by a subject to an object in the defined realm to request access. Moreover, the user sends the Ticket for Service and request access to resources. Finally, the server grants access and authenticates the user.

Kerberos Architecture

The Kerberos architecture has three major components. These are the Authentication Server (AS), the Ticket Granting Service (TGS) and the resources server where applications and systems reside. Hence, that is why the name the 3-headed dog authentication mechanism, referring to its Greek origin. Moreover, it is a network authentication protocol that provides strong authentication services to client-server environments. In kerberized environment, users employ the steps depicted in the following diagram.

Steps in Kerberos Authentication

Users in Kerberos environment employ three major steps in order to prove their identity, be authenticated and access resources. Moreover, they will need to have necessary privileges to create sessions and gain access to the centralized services. Let us briefly discuss about the three steps as follows:

• The principal requests the authentication server (AS) by sending a message encrypted with its private key. If the authentication is successful, the AS will issue Ticket Granting Ticket (TGT) for the principal. Besides, the TGT will authorize the user to further request more tickets to access services.
• Next, the principal will request the Ticket Granting Service (TGS) for Service Ticket by sending the TGT. If the user has a privilege to access services, the TGS will again issue Service Ticket to the requesting entity.
• Finally, the principal will send the Service Ticket to the server or network service that hosts the particular service the user is requesting. Besides, the server will check the validity of the Service Ticket and grant the user access to the service.

You can find more information about Kerberos on this website of MIT.