Kerberos is a trusted third-party Authentication Layer 7 (Application Layer) service.
If you want to learn more about network security then please review our CompTIA Security+ certification course.
Kerberos is a secret-key network authentication protocol developed at the Massachusetts Institute of Technology (MIT) that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication services. DES is described in detail later in this guide. In the Kerberos protocol, the trusted third party is the Key Distribution Center (KDC). The following diagram illustrates the basic operation of Kerberos:
In the diagram illustrated above, the Kerberos Authentication process begins when the remote user initiates a connection to the NAS, as illustrated in step 1. When the NAS receives this connection, it builds a service credential request and sends it to the Key Distribution Center (KDC), as illustrated in step 2.
In step 3, the KDC decrypts the request from the NAS and builds a service credential, which is then sent back to the remote user. When the service credential from the NAS is sent, both the NAS and the remote user decrypt the credential. Once decrypted, the remote user is then able to exchange data with the NAS, as illustrated in step 4.
Unlike RADIUS and TACACS+, Kerberos authenticates users by issuing tickets. These tickets have a limited lifespan and are stored in a user’s credential cache. These tickets can then be used in place of the standard username/password authentication scheme.
The Kerberos credential scheme uses a concept called single logon. This process allows for a user to be authenticated once and then allows a user access to network resources whenever the user’s credentials are accepted. To enhance security, Kerberos also uses timestamps, which are simply numbers that represent the date and time, to assist in the detection of replay attacks.
Unlike RADIUS and TACACS+, Kerberos uses both TCP and UDP ports. TCP/UDP ports 88, 543, and 749 and TCP ports 754, 2105, and 444 are all used for packet delivery in Kerberos. In addition to this, Kerberos supports username/password encryption and allows for Telnet sessions to be encrypted. While we will not be going into any further technical details on Kerberos, the following table provides a brief description of common Kerberos terminology:
|Credential||This is a general term that refers to authentication tickets, such as ticket granting tickets (TGTs) and service credentials. Credentials are used to verify the identity of a user or service. If a network service trusts the Kerberos server that issued a ticket, it can be used in place of retyping in a username and password. Credentials have a default lifespan of 8 hours.|
|Instance||This is an authorization level label for Kerberos principals. Most Kerberos principals are in the form user@REALM, for example, paul@HOWTONETWORK.COM. In Kerberos, the realm name MUST be in uppercase letters.|
|Kerberized||Applications and services that have been modified to support the Kerberos credential infrastructure are said to be Kerberized.|
|Kerberos realm||A domain consisting of users, hosts, and network services that are registered to a Kerberos server. Kerberos realms are always in uppercase letters. The Kerberos realm is also used to map a DNS domain to a Kerberos realm.|
|Kerberos server||A daemon running on a network host. Users and network services register their identities with the Kerberos server. Network services query the Kerberos server to authenticate to other network services. It is sometimes referred to as the Master Kerberos server.|
|Key Distribution Center (KDC)||A Kerberos server and database program that runs on a network host. It is used to issue TGTs.|
|Principal||Also known as a Kerberos identity, this is who you are or what a service is according to the Kerberos server.|
|Service credential||A credential for a network service. When issued from the KDC, service credentials are encrypted with the password shared by the network service and the KDC, and also with the user’s TGT.|
|SRVTAB||A password that a network service shares with the KDC. The network service authenticates an encrypted service credential using the SRVTAB to decrypt it. The SRVTAB is also referred to as the KEYTAB.|
|Ticket Granting Ticket (TGT)||A credential issued by the KDC to authenticated users. When users receive a TGT, they can authenticate to network services within the Kerberos realm represented by the KDC.|