Information Security

⌘K
  2. Home
  4. Docs
  6. Information Security
  8. User Authentication
  10. Kerberos Protocol

Kerberos Protocol

Kerberos Protocol is a network authentication protocol designed to provide secure user authentication over insecure networks.

Thank you for reading this post, don't forget to subscribe!
  • It relies on a system of cryptographic tickets rather than passwords, ensuring that credentials are never transmitted in plain text.
  • Kerberos was developed by MIT and is widely used in enterprise and academic environments to verify identities and manage access securely.

How Kerberos Works (Step-by-Step Process):

1.) Authentication Server (AS):

  • When a user attempts to log in, they first authenticate to the Authentication Server (AS) by submitting their username.
  • The AS verifies the user’s credentials (e.g., password) and, upon successful authentication, issues a Ticket Granting Ticket (TGT). This ticket is encrypted and time-stamped.

2.) Ticket Granting Server (TGS):

  • The user then presents the TGT to the Ticket Granting Server (TGS) to request access to a specific service (e.g., email server, file server).
  • The TGS verifies the TGT and, if valid, issues a Service Ticket for the requested application.

3.) Accessing the Service:

  • Finally, the user presents the Service Ticket to the target application server. The server validates the ticket, and if all is correct, grants access to the service without requiring the user to re-enter credentials.

This ticket-based mechanism ensures that passwords are never repeatedly transmitted across the network, reducing the risk of interception.

Kerberos 5 – Latest Version Features:

1.) Strong Encryption:

  • Kerberos Version 5 supports modern cryptographic algorithms such as AES (Advanced Encryption Standard), offering robust protection against brute-force attacks.

2.) Replay Attack Prevention:

  • Each ticket is time-stamped and has a limited lifetime, making it useless after expiration and protecting against attackers reusing old tickets.

Security Issues with Kerberos:

1.) Single Point of Failure:

  • The Key Distribution Center (KDC), which houses both the AS and TGS, is a critical component. If the KDC is compromised, attackers can issue valid tickets and impersonate users.

2.) Time Synchronization Requirement:

  • Kerberos requires that all systems participating in authentication have synchronized clocks, usually within a few minutes of each other. If there is a significant time mismatch, ticket validation may fail.

How can we help?