What is Kerberos? A Closer Look and How Does It Work

What is Kerberos? Kerberos is the default authentication protocol used by Microsoft Windows. It is also used in their Linux, Apple OS, UNIX, and FreeBSD implementations.

Kerberos uses a combination of cryptographic mechanisms and third-party authentication applications. This protocol makes it more difficult for criminals on the internet to penetrate or hack networks.

Kerberos was developed by the Massachusetts Institute of Technology (MIT), and the security of this protocol has made it the go-to network authenticator for websites on different platforms to prevent eavesdropping on network traffic by unscrupulous cybercriminals.

Kerberos: A Closer Look

In mythology, Kerberos is a large, three-headed dog that guards the gateway to the underworld to keep souls from escaping.

Today, however, Kerberos is a computer network authentication protocol initially developed in the 1980s by computer scientists at the Massachusetts Institute of Technology (MIT).

The idea behind Kerberos is to authenticate users while preventing passwords from being sent over the internet.

Kerberos appeared alongside the Domain Name System (DNS) in 1983. Initially, it was designed for an MIT educational project. Still, today, it supports many functions, including single sign-on (SSO) implementation. It serves as a login authentication protocol for websites.

Many popular operating systems, including Windows, have Kerberos built in. Kerberos is such a widely used service, like DNS, that most users need to be aware that they are using it.

Kerberos is an authentication protocol that allows systems and users to prove their identity through a trusted third party. This protocol was initially developed at the Massachusetts Institute of Technology (MIT) as part of Project Athena.

The project is a joint initiative of MIT, Digital Equipment Corporation, and IBM to build a distributed computing environment for educational use.

What Does Kerberos Do?

Kerberos’ main objective was to provide a way for users of the MIT network to securely authenticate themselves to the systems they need to use. It also allows those users to be authorized to access the system.

At that time, network systems typically authenticated users with a combination of user ID and password. The system routinely sends “clear” passwords, meaning unencrypted.

An attacker with access to a network can easily intercept network transmissions, intercept user IDs and passwords, and then try to access unauthorized systems.

Developers of this protocol began providing network authentication protocols that could be used to authenticate trusted hosts to communicate over untrusted networks.

Specifically, they intend to provide a mechanism for system administrators to authenticate access to systems over an open network such as the internet.

Protocol “Kerberos Authentication and Authorization System”

This protocol was initially designated as “Kerberos Authentication and Authorization System” in a paper of the same name. It was written by SP Miller, BC Neuman, JI Schiller, and JH Saltzer.

The designers aim to provide a foundation to ensure that only authorized users can access specific network resources. They intend to authenticate as a means to support authorization.

While an authenticated user has some access rights to some network resources, authorization tools allow finer access to specific resources, such as storage and databases.

Kerberos is also designed to interact with secure accounting systems. It provides the third “A” of the authentication, authorization, and accounting (AAA) triad.

How Does Kerberos Work?

Kerberos was initially named Cerberus, namely the three-headed dog, in Greek mythology, the gatekeeper of Hades, where Kerberos is a protocol consisting of three entities, namely:

1. The client is an entity that seeks to request services and provide its identity.

2. An Application Server is a service that a client (or user) wants to access,

3.The Key Distribution Center (KDC) is a trusted third party on duty during the authentication stage. In Active Directory, each domain controller acts as a KDC,

When authenticating, Kerberos uses symmetric encryption and a trusted third party called Key Distribution Center (KDC).

The Key Distribution Center is in charge of issuing tickets as a means of client authentication with the server and a temporary identity pointer that can be used until the expiration date.

KDC Components

There are 3 main components in KDC, namely:

1. Authentication Server (AS) is the subprotocol that performs the first authentication and issues Ticket-Granting Tickets (TGT) to clients,

2. Ticket-Granting Server (TGS) issues service tickets to access other sources based on previously received Ticket-Granting Tickets,

3. The central database (db) is a database of secret keys for all managed users and services.

Authentication Stages

At the time of Authentication, this protocol stores a special ticket for that session on the user’s machine. The knowledgeable service will look for this ticket instead of asking the user to authenticate via password.

Kerberos uses ticket cryptography to avoid These are the steps in Authentication:

1. In the first stage, the client enters the domain and then asks for a Ticket Granting Ticket, which consists of the client’s identity. This request is sent to KDC, which will check the client’s identity via Authentication Server (AS). Next, look for the primary key in Active Directory and verify it,

2. The second stage is that AS will provide the session key and the TGT consisting of the network address and user identity. This stage is carried out after AS has successfully verified the client,

3. The third stage is that the client uses the previously obtained TGT to request access to several services on the application server through the authentication process first,

4. In the last stage, the application server will send the key so the client can access the service.

Kerberos integration is also supported by Remedy Single Sign On, the primary authentication module used for many BMC products.

In Remedy Single Sign On, it is possible to configure Kerberos as an authentication service. In this case, Remedy Single Sign On validates the token sent from the client (for example, a browser granting access to the BMC Digital Workplace) along with the KDC and lets the user sign in to the application using his Windows credentials.

Advantages of Kerberos

1. Passwords are never sent over the network, as only keys are sent in encrypted form;

2. Authentication is reciprocal, so the client and server authenticate at the same step, and both are sure that they are communicating with the right partner;

3. Authentication is reusable and doesn’t expire;

4. Kerberos is wholly based on open Internet standards and;

5. Kerberos is adopted by many industries, so any new flaws in its security protocols or in the underlying modules are quickly fixed.

Kerberos Disadvantages

The entire authentication system will be compromised if an unauthorized user has access to the Key Distribution Center.

Kerberos can only be adopted by applications that are Kerberos-aware. It can be problematic to rewrite code on some applications to make Kerberos aware.

How To Install Kerberos?

When using this protocol authentication in Remedy Single Sign On, you must remember to enable Kerberos authentication for your browser. It is only sometimes enabled by default. Here’s how to do it for two commonly used web browsers.

How to Install Kerberos for Internet Explorer:

1. On the Internet Options dialog box, select the Advanced tab.

2. Then, scroll down to Security settings. Select the Enable Integrated Windows Authentication checkbox.

3. Click on the OK button and restart the browser for the settings to take effect.

How to Install Kerberos for Firefox

1. Open Firefox and enter about: config in the address bar. Ignore all warnings that appear.

2. In the Filter field, enter negotiate.

3. Double-click the network.negotiate-auth.trusted-uris preference. This preference lists the trusted sites for Kerberos authentication.

4. In the dialog box, enter the Single Remedy Sign On domain, such as rsso.bmc.com.

5. Click the OK button

Leave a Comment