Open In App

Kerberos

Improve
Improve
Improve
Like Article
Like
Save Article
Save
Share
Report issue
Report

Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. In Kerberos Authentication server and database is used for client authentication. Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user and service on the network is a principal. 

The main components of Kerberos are: 
 

  • Authentication Server (AS): 
    The Authentication Server performs the initial authentication and ticket for Ticket Granting Service. 
     
  • Database: 
    The Authentication Server verifies the access rights of users in the database. 
     
  • Ticket Granting Server (TGS): 
    The Ticket Granting Server issues the ticket for the Server 
     

Kerberos Overview: 

 

 

  • Step-1: 
    User login and request services on the host. Thus user requests for ticket-granting service. 
     
  • Step-2: 
    Authentication Server verifies user’s access right using database and then gives ticket-granting-ticket and session key. Results are encrypted using the Password of the user. 
     
  • Step-3: 
    The decryption of the message is done using the password then send the ticket to Ticket Granting Server. The Ticket contains authenticators like user names and network addresses. 
     
  • Step-4: 
    Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the request then creates the ticket for requesting services from the Server. 
     
  • Step-5: 
    The user sends the Ticket and Authenticator to the Server. 
     
  • Step-6: 
    The server verifies the Ticket and authenticators then generate access to the service. After this User can access the services. 

Kerberos Limitations

  • Each network service must be modified individually  for use with Kerberos
  • It doesn’t work well in a timeshare environment
  • Secured Kerberos Server
  • Requires an always-on Kerberos server
  • Stores all passwords are encrypted with a single key
  • Assumes workstations are secure
  • May result in cascading loss of trust.
  • Scalability

Is Kerberos Infallible?

No security measure is 100% impregnable, and Kerberos is no exception. Because it’s been around for so long, hackers have had the ability over the years to find ways around it, typically through forging tickets, repeated attempts at password guessing (brute force/credential stuffing), and the use of malware, to downgrade the encryption.  

Despite this, Kerberos remains the best access security protocol available today. The protocol is flexible enough to employ stronger encryption algorithms to combat new threats, and if users employ good password-choice guidelines, you shouldn’t have a problem!

What is Kerberos Used For?

Although Kerberos can be found everywhere in the digital world, it is commonly used in secure systems that rely on robust authentication and auditing capabilities. Kerberos is used for Posix, Active Directory, NFS, and Samba authentication. It is also an alternative authentication system to SSH, POP, and SMTP. 

Applications

  • User Authentication: User Authentication is one of the main applications of Kerberos. Users only have to input their username and password once with Kerberos to gain access to the network. The Kerberos server subsequently receives the encrypted authentication data and issues a ticket granting ticket (TGT).
  • Single Sign-On (SSO): Kerberos offers a Single Sign-On (SSO) solution that enables users to log in once to access a variety of network resources. A user can access any network resource they have been authorized to use after being authenticated by the Kerberos server without having to provide their credentials again. 
  • Mutual Authentication: Before any data is transferred, Kerberos uses a mutual authentication technique to make sure that both the client and server are authenticated. Using a shared secret key that is securely kept on both the client and server, this is accomplished. A client asks the Kerberos server for a service ticket whenever it tries to access a network resource. The client must use its shared secret key to decrypt the challenge that the Kerberos server sends via encryption. If the decryption is successful, the client responds to the server with evidence of its identity. 
  • Authorization: Kerberos also offers a system for authorization in addition to authentication. After being authenticated, a user can submit service tickets for certain network resources. Users can access just the resources they have been given permission to use thanks to information about their privileges and permissions contained in the service tickets. 
  • Network Security: Kerberos offers a central authentication server that can regulate user credentials and access restrictions, which helps to ensure network security. In order to prevent unwanted access to sensitive data and resources, this server may authenticate users before granting them access to network resources.

Last Updated : 13 Apr, 2023
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads