Kerberos is a ticket-based network authentication protocol utilizing symmetric crytography, software that will add to the ability of operating systems (Windows, Mac, etc.) to authenticate users and servers, and manage session-level security and encryption. It is a single sign-on technology. Kerberos was created in the 1980's as part of MIT's "Project Athena". It is IP-based service. It uses secret-key crytography to provide strong authentication for client/server applications. Kerberos is available in several commercial products and is also available as free implementation from MIT.
 
[The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades.]
 
Most users access many systems and networks during the day. A single sign-on technology allows a user to sign on once at the beginning of the day and remain authorized throughout the day on the entire network.

Authentication Service (AS) - Performs authentication and is a part of the Key Distribution Center (KDS).
 
Key Distribution Center (KDS) - Holds secret keys (the crytographic keys) for "principals"; provides authentication; creates and distributes session keys (crytographic keys). Session keys and secret keys are crytographic keys. The KDS utilizes symmetric cryptography. A KDC has a Ticket Granting Service (see TGS) and the Authentication Service.
 
Principal - Any object such as user, application, service, or resource which utilizes Kerberos authentication is referred to as principal. Collectively, the objects using Kerberos are principals. A Key Distribution Center (KDC) is responsible for one or more "realms" of principals. Any principal must "trust" the KDC. Principals do not directly trust each other. Only the KDC is supposed to have a copy of each principals "secret key".
 
Realm - The group or set of principals which are grouped together logically by a network administrator is called a realm. Again, a Key Distribution Center (KDC) is responsible for one or more realms.
 
TGS (Ticket Granting Service) - That part of the Key Distribution Center (KDS) which creates and distributes tickets to the objects (principals) containing session keys.
 
Ticket - Simply a digital authentication token sent from the Authentication Service (AS). The first ticket sent from the AS to a principal (user, application, service or resource) is called the Ticket Granting Ticket (TGT).
 
Secret keys and Session keys - Symmetric cryptography keys used for both authentication and/or data encryption.

With Kerberos, users have to "prove" their identity to every application, resource and service before they can be used. On a user-level, this is not a problem as the user will log-on once in the morning and have network access all day, as well as access to resources.. Kerberos software is set up, configured and maintained by the network administrators.
(1) A user logs in: Authentication information is sent to the AS (Authentication Service) of the KDC (Key Distribution Center)
(2) The AS sends back a ticket (encrypted) to the user's computer.
(3) Ticket gets decrypted with the secret key (user's password). User is authenticated to the network if the right password is used.

(1) User's computer sends initial ticket to the Ticket Granting Service (TGS) of the Key Distributrion Center (KDC).
(2) Tricky step:¹ TGS makes another ticket: User authentication information, plus TWO instances of the SAME session key. This ticket goes to user computer. One instance of the Session key gets encrypted with the user's secret key. The other instance of the Session key is encrypted with the secret key of the desired resource.
(3) User computer software (Kerberos) decrypts and extracts one instance of the session key, then inserts authentication information of the user into the ticket and sends ticket to the desired resource. The resource must decrypt the second instance of the session key with its own secret key and revfiews authentication information of the user. The resource was convinced that the ticket came from the KDC because the ticket it received had a copy of the resource's own secret key. Logically, only the KDC should have a copy of the resource's secret key. The resource now "trusts" the incoming ticket because of the encrypted secret key of the resource being on the ticket. The resource also compare's user information in the ticket with user information inserted by the user to ensure the identity of the user.

• Does not provide for availability of principals (resources)
• KDC can be a single-point of failure
• Secret keys stored on workstations
• Vulnerable to dictionary attacks
• If encryption is not enabled, the network is not protected
• The KDC should not allow any non-Kerberos network activitiy to take place.
• All prinicipals must have Kerberos software installed
• The KDC must be readily available at all times and must be able to support the number of requests that it receives from all of the principals in the realm.
• It is easier to control and maintain one system responsible for all access requests, so administration can be easier, but at the cost of possible security breeches.

¹ Mike Meyer's Certification Passport CISSP by Shon Harris;
   Osbourne, 2002. Pages 42-44.

Kerberos: Network Authentication Protocol (mit.edu)
Kerberos Security Advisories
Integer Overflow bug, krb5
Cisco Security Advisory: Vulnerabilities in Kerberos 5 Implementation
Kerberos FAQ
Kerberos Primer (ibm.com)
Windows 2000 Kerberos Article at mcmcse.com
Kerberos Authentication Service for Computer Networks
How To Kerberize Your Site
How to get Kerberos Help
Red Hat Support: Updated Kerberos Packages (fix vulnerabilities)
=================

 

Mail List and Newsgroup

Kerberos Authentication system Mailing List
comp.protocols.kerberos newgroup FAQs
Usenet - comp.protocols.kerberos - The Kerberos authentication server.
================

 

Kerberos and Mac Computers

Apple Developer Connection Kerberos Page
Mac OS X Kerberos Extras
Kerberos for Macintosh and Windows (downloads)
State of Macintosh Kerberos Authentication
==================

 

Additional Kerberos Related Links

Kerberos Module for Apache
Users Guide to Kerberos for UNIX at Stanford
Kerberos Reference Page and Kerberos Distributions
Replacing NIS With Kerberos and LDAP
An Enterprise Security Primer
Book: Kerberos: A Network Authentication System
Univ. Calif. at Berkeley Kerberos Page
NASA.gov Kerberos Tutorial for Users

What are some problems with firewalls?

A firewall protecting a network can give a false sense of security, a feeling like everything is really protected when in fact, each individual network user can weaken the security by creating "back doors" such as by using software like PCAnywhere. Network administrators need to block users from being able to install software on the network.

Return to Computer Security Tutorials Page