The Kerberos protocol is a network authentication and authorization protocol. It was developed by the Massachusetts Institute of Technology (MIT) in the 1980s as a more secure alternative to traditional authentication through user/password entry to machines and services on insecure networks.
Today, Kerberos is primarily associated with its derived Windows implementation. But numerous Unix and Unix-like devices also support the protocol, including, for example, FreeBSD, MacOS, Red Hat Enterprise Linux or HP's HP-UX. Kerberos is also becoming increasingly widespread in embedded systems (e.g. Cisco IOS or IoT devices). There are 5 major implementations in total, the first three of which are under free licenses:
Password authentication suffers from two problems in particular. The first is that simply by knowing the correct password, attackers can impersonate legitimate users. So if someone knows the password to your user account, that person can steal your identity, causing harm to you and your business. Specifically, attackers do this in the following ways:
The second problem is related to the human factor: we tend to use more and more uniform passwords as the number of password authentications (without the help of a password manager) increases. So if someone else gets one of these passwords, for example through a Man in the middle attack, it is potentially possible to be able to successfully authenticate yourself with this password or a variation of it (keyword password spraying) at several points.
In order to make the authentication in the network more secure, it must be ensured that the password or passwords are not constantly transmitted in the network and could therefore simply be recorded. At the same time, it must be ensured that a user can authenticate himself at every service and every machine to which he is authorized.
The Kerberos protocol solves both of these problems and thus helps to make authentication processes more secure. In the following section, we'll go into more detail about how the protocol does this.
Kerberos solves the problem of insecure password transmission by introducing a third authoritative entity within the network that issues encrypted tickets. This third entity is called the Key Distribution Center (KDC).
The KDC effectively consists of two services running on one or more servers. This includes the Authentication Server (AS) and the Service Server (SS) – also known as the Ticket Granting Server. The Authentication Server (AS) checks whether it is a legitimate user of the network. The Service Server (SS) issues the tickets for permission to use the requested service.
At the end of this basic article on the Kerberos protocol, we consider a concrete scenario in which a user wants to access a file server. In this scenario, the following instances interact:
The following steps are carried out using the Kerberos protocol:
With this process, Kerberos ensures that the password is not transmitted. On the other hand, users of devices and services that support Kerberos do not have to log in again until the TGT expires. In short: Kerberos allows the use of Single sign-on (SSO), since no further communication with the authentication server is required via the valid TGT in order to be able to generate further tokens on the service server (SS).
