Current instances and cyber threats illustrate that the Internet isn’t a safe place as many of protocols associated with its functioning doesn’t necessarily include security. Hackers can exploit the insecure protection of networks and forge the passwords to gain access to any system. For e.g. unencrypted passwords shared via applications over a network can be easily hacked. Plus, the modern identify verification techniques are outdated in the sense that you cannot be certain of the identity of the person who is accessing the system.
Many sites use “firewalls” as a shield against unwanted intrusions. This is based on the assumption that the ‘bad guys’ are on the outside. In fact, ‘insiders’ are responsible for most of the severe data intrusions. In addition, firewalls also affect the usability of the ‘Internet’ and this can be a major hindrance in smooth functioning of the company.
To counter these visible and significant security threats, Kerberos was envisioned and created by MIT team. Originally introduced in 1980s, the authentication protocol has undergone several enhancements and is available on all major OS-windows, Mac, Linux etc.
What is Kerberos?
To understand Kerberos, let us first understand the term it signifies. In Greek mythology, Kerberos was the three headed dog who guarded the gates of hades (hell). Kerberos, the Internet protocol system creates a strong authentication system between server and the client. It provides the tools for verification and cryptography over the network. This way, you can better secure which is shared from your enterprise.
Majority of the applications are “Kerberos aware” i.e. they are programmed to use Kerberos authentication. In fact, Kerberos is built-in in every Windows or a Mac system; However, it is only activated if Kerberos is part of the user authentication system of a network. This is the reason; this technology is mainly used by the enterprises.
How does Kerberos work?
Enterprise security system is based on a fundamental principle of least privilege i.e. network access needs to be restricted. During authentication process, Kerberos uses a third-party encryption called as Key Distribution Center (KDC). At the moment when the client tries to authenticate, Kerberos stores a specific ticket for that session on the user’s machine. The Kerberos aware service then will look for this ticket. This way, the client isn’t prompted to authenticate himself through a password.
The main entities of a Kerberos flow include:
Client: A client acts on behalf of the user and it Initiates the communication for a service request.
Server: The server which the user wishes to access.
Authentication Sever (AS): This conducts client authentication. In case of successful authentication, the AS issues a ticket known as TGT (Ticket Granting Ticket). TGT can relay to other servers that client has been authenticated.
Key Distribution Center (KDC): In Kerberos environment, authentication sever is segregated into three divisions:
a. Database (db)
b. Authentication Server (AS) and
c. Ticket Granting Server (TGS).
These three divisions, existing in a single server and it is known as Key Distribution Center.
Ticket Granting Server (TGS): The application server, which issues tickets as-a-service.
In the extract below, you will see all the steps involved in Kerberos Authentication:
1. When the client logs into the domain, a Ticket-Granting Ticket (TGT) request is sent across to Key Distribution Center (KDC)
2. The Kerberos KDC responds by returning a TGT and a session key to client.
3. The Kerberos KDC then receives a ticket request from the application server. This request comprises of the PC Client, TGT and an authenticator.
4. The PC client then receives a ticket and a session key from KDC.
5. The ticket then reaches the application server. The server then authenticates the PC client.
6. The server sends the PC client another authenticator. Upon receiving the authenticator, the Client authenticates the server.
Kerberos is also maintained by Remedy Single Sign On (SSO). In Remedy Single Sign On system, it is also possible to construct a Kerberos authentication process.
A detailed explanation of all the steps is also shared below:
Step 1 -
The first step consists of the initial authentication request. Here the client requests Authentication Server for a Ticket Granting Ticket (TGT). The request is sent by the client ID and the password/user secret key of client is not sent.
Step 2 -
The Authentication Server looks for the availability of the client and TGS in the database. If they are not found, then an error message is transmitted to the client. If both entities are available, then the client secret key is created through the hash of the user’s password. The password is available in the database and TGS secret key is also computed.
The client and the TGS shares a session key (SK1) which is generated by the Authentication server. This SK1 is encrypted using the client secret key.
Authentication Server generates a TGT which consists of client ID, client network address, lifetime, timestamp and Session Key (SK1). TGS secret key encrypts the ticket, so that only TGS would be able to decipher its contents
The response message which is finally sent to client comprises of generated TGT and SK1. Then the body of the message is encrypted with the secret key. This ensures that only client would be able to decode the message.
Step 3 -
Client then uses the secret key to decrypts the message and extracts SK1 and TGT. The authenticator is generated, which is used to validate the client with TGS. The authenticator comprises of client ID, client network address and client machine timestamp. This is then encrypted by using the extracted SK1.
The client then sends the authenticator and extracted TGT to TGS. The client then requests a ticket from the server.
Step 4 -
Using, the TGS secret key, TGS decrypts the TGT and extracts SK1. This key allows TGS to decrypt the authenticator and verify if there has been a match between the client ID and client network address from TGT. The system also checks if the TGT is expired or not. This is done using the extracted timestamp.
After the conclusion of all checks, another service session key (SK2) is generated. This session key is shared between the client and the target server.
Then a service ticket comprising of client id, client network address, timestamp and SK2 is created. This ticket is encrypted with the secret key which is attained from the database
The client receives a message body which consists of SK2 and service ticket. Then the message is encrypted with SK1(known to the client).
Step 5 -
The client decrypts the message by using SK1 and extracts SK2. A new authenticator is then created which comprises of client ID, timestamp and client network address. SK2 then encrypts this authenticator.
The target server then receives the authenticator and service ticket from the client.
Step 6 -
The target server uses the secret key of the server to decrypt the service ticket. SK2 is then extracted from the service ticket. In the next step, SK2 and client ID decrypts the authenticator to extract client network address and timestamp.
Specific checks are then performed to match the client ID and client network addresses from service ticket and authenticator.
When all checks are met, then target server releases a message comprising of the time stamp plus 1, encrypted with SK2 to the client.
This validates the authentication between the client and server. A trusted service session can now begin.
Advantages of Kerberos
• The authentication protocol allows Clients and services to authenticate themselves mutually.
• It is available on all Operating systems.
• Tickets in Kerberos stay for a limited time-period. In cases where tickets get stolen, it is very difficult to reuse the ticket, as there are strong authentication requirements.
• Unencrypted passwords go in the network.
• Secret keys shared in Kerberos are much more efficient
Disadvantages of using Kerberos
The weaknesses of Kerberos are:
• The authentication system can get compromised if an unauthorized person gains access to KDC.
• Kerberos is only supported by Kerberos aware applications. It might be complicated to write the code for other applications.
ISSQUARED’s IAM services
ISSQUARED's IAM solutions integrate Kerberos authentication system to enforce appropriate security controls. These controls meet all compliance requirements and creates a secure access between the client and the server.
ISSQUARED's ORSUS IAM suite facilitates Kerberos account management. It provides a simplified and secured process to manage Kerberos accounts, including provisioning into target systems, adding them to access groups, allowing self-service capability for end users to request them, and validating them through review campaigns.
a. Provision Kerberos accounts to target systems
b. Group management for Kerberos accounts
c. Self-service requests for new Kerberos accounts
d. Customizable workflows for onboarding new Kerberos accounts
e. Recertifications and campaigns for Kerberos accounts
f. Auditing/compliance and reporting for Kerberos accounts
In this blog, we discussed the ethos of Kerberos Internet protocol system and how it became an integral part in ensuring safe access and exchange of information between client and server. We also discussed the step by step process on how Kerberos works and then looked at ISSQUARED’s IAM services, which integrates Kerberos guidelines in its IAM portfolio, thus offering maximum security. To get more information about our IAM services, you can get in touch with one of our experts here.