What is Kerberos authentication?Link to this section
Kerberos is an authentication protocol used to verify user identities and boost security levels.
Taking its name from Greek mythology, Cerberus (Kerberos) was Hades’ three-headed hound that guarded the Gates to the Underworld. It’s a fitting name for an approach that uses symmetric key cryptography and trusted third-party authorization to grant access.
While Kerberos authentication does offer benefits, it comes with a range of limitations that can compromise its ability to keep computers safe, secure, and free of intrusion.
Kerberos authentication definedLink to this section
Developed in the 1980s by a team of computer scientists from the Massachusetts Institute of Technology (MIT), Kerberos authentication is a computer network authentication protocol for client/server applications.
Its goal is to verify users and prevent passwords from getting into the wrong hands. It helps prevent cyber attackers from intercepting passwords and other sensitive information over insecure networks.
How? Kerberos uses a gateway or server (known as an intermediary) that creates a safe, private network between users and the internet.
Every Kerberos verification involves a Key Distribution Centre (KDC). The KDC acts as a trusted third-party authentication server that operates from the Kerberos server and consists of three main components.
- An authentication server (AS): This performs the initial authentication when a user wants to access a service.
- A ticket-granting service (TGS): This server connects the user with the service server.
- A Kerberos database: This database stores the IDs and passwords of the verified users.
This protocol has been leveraged by Microsoft Windows, first used in their Windows 2000 product. Now, you’ll find this open-source protocol used across a range of operating systems including Apple OS, FreeBSD, UNIX, and Linux.
How the Kerberos authentication process worksLink to this section
Symmetric key cryptography and a key distribution center (KDC) underpin the Kererbos authentication process. These two elements work together to confirm user identities, store user information securely and perform authentication.
When a user requests access to something, it is done through the authentication service. The user will enter their username and password locally, which will send the following information:
- Security identifier.
- Name of the requested service.
- User’s IP address.
- The desired lifetime of the Ticket Granting Ticket (TGT).
The Kerberos authentication process (a.k.a the protocol flow) uses three secret keys:
- The client/user hash
- TGS (ticket-granting server) secret key
- SS (service server) secret key
Typically, Kerberos authentication follows these key steps:
- Initial client authentication request: the client logs in to the domain, and the user requests the TGT or authentication token from the authentication server. The TGT request is then shared with the KDC.
- Verification of client credentials: from here the KDC verifies the user’s details before sending an encrypted session key and TGT. The AS then cross-checks these details in the database and generates a secret key (if everything matches up).
- Plus, a session key (SK1) is created and encrypted with the user’s secret key along with a TGT containing the client network address, ID, timestamp, and other details.
- Message decryption: the client/user hash or secret key is used to unlock and decrypt the message. This is what creates the authenticator to validate the TGC.
- Access request using the TGT: plus, the client requests a ticket from the service server. This is done by sending the authenticator and the TGT to the TGS.
- Ticket creation for the file server: the TGS secret key is what allows the TGT to be unlocked. All the details inside (including the SK1, client ID, and timestamp) are checked for validity. With the checks complete, the KDC will create a shared service session key (SKR) and a service ticket that is encrypted.
- Authentication with the file ticket: from here, the file ticket is used by the client to decrypt the message and process authentication. The client will then share a service ticket and new authenticator with the target server.
- Decryption and authentication by the target server: lastly, the target server will receive and decrypt the service ticket and extract the SK2 (using the SS key). Cross-checks are made before the client receives a message saying authentication has successfully happened.
The benefits and vulnerabilities of Kerberos authenticationLink to this section
While it does aim to boost security, the Kerberos protocol isn’t immune from security threats and vulnerabilities.
Using Kerberos offers a number of benefits, including:
- High level of security: Kerberos uses strong encryption, cryptography, and trusted third-party authorization. Plus secret keys are encrypted which can make it tough for intruders to gain access.
- Manual authentication: The Kerberos protocol allows both the user and server to communicate with each other ensuring the other party is genuine.
- Access control: Kerberos facilitates access control by performing authentication to help ensure security policies are met before granting access permission.
- Clear ticket lifetimes: using timestamps and lifetime data means that each ticket comes with an expiration date that is controlled by admins.
But of course with benefits comes vulnerabilities. As a mature, commonly used authentication protocol, it is possible to experience attacks with Kerberos authentication. These can include:
- Golden ticket attack: a golden ticket is a forged Kerberos key distribution center, which means that the cyber attacker will be able to create Kerberos tickets for accounts that don’t exist in the active directory.
- Silver ticket attack: similar to the golden ticket, only without the privileges of the golden ticket. This would allow the hacker to gain access to a single service on an application.
- Pass-the-ticket hacks: this involves an intruder forging a session key and using this to gain access to the resource.
- Credentials stuffing or brute force attacks: intruders will use a series of automated attempts to guess a password as a way to gain access.
- Skeleton Key Malware: it is possible for certain malware to bypass the Kerberos protocol, pending the attacker having Admin access.
- DCShadow attacks: this is a relatively new approach where attackers gain a certain level of access to a network, using this to create their own DC to further infiltrate the network.
How to keep Kerberos authentication secureLink to this section
Eliminating the threat of cyber attacks altogether is nearly impossible. But, there are processes and strategies you can put in place to level up the security of your Kerberos infrastructure.
- Log and monitor any signs of an attack, such as reviewing your DC logs for an event ID 4769 (a service ticket request for users or domains that don’t exist in your system).
- Keep your systems up to date and patch CVE-2014-6324 which prevents Silver tickets from becoming Domain admins.
- Turn your admins and service accounts to “sensitive and cannot be delegated” to prevent hackers from further infiltrating your network.
- Follow the principle of least privilege, meaning users are only granted access to the exact resources needed (lowering the chance of attackers gaining access to large areas of your network).
- Boost password security by ensuring these credentials are 14 characters long (or more) and ensure these details are refreshed and updated at least every 30 days.
Kerberos authentication comes with a number of drawbacks and security vulnerabilities that need to be understood and guarded against. But it is a strong authentication protocol (backed by encryption) that can help to keep passwords, networks, and authentication tickets protected from unauthorized users.