Contact Us Today 01642 716680

Kerberos

Definition: Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. It primarily works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

Developed at MIT in the 1980s, Kerberos is employed in various network environments, including Microsoft Active Directory, where it plays a critical role in authenticating users and services within a domain. The protocol operates on the principle of a trusted third party — the Key Distribution Center (KDC), which consists of two parts: the Authentication Service (AS) and the Ticket Granting Service (TGS). Users authenticate once to the AS, receive a Ticket Granting Ticket (TGT), and then present this ticket to the TGS to receive service tickets for accessing various network resources.

Kerberos is designed to protect against eavesdropping and replay attacks, and it relies on the relative security of the KDC. The strength of Kerberos lies in its use of timestamped tickets and symmetric key encryption, making it resilient against various types of attacks. However, it is not foolproof and is susceptible to certain attacks if improper security practices are followed.

Key Characteristics:

  • Mutual Authentication: Both the user and the service verify each other’s identities.
  • Time-Sensitive Tickets: Expiration of tickets prevents long-term reuse by an attacker.
  • Dependence on Secure KDC: The entire system relies on the security of the Key Distribution Center.
  • Scalable Trust Model: Designed for large-scale distributed environments.

Examples:

  • Real-World Example: When a user logs into their computer within a corporate domain that utilizes Active Directory, they are granted a Kerberos ticket that they can use to access various services without re-entering credentials.
  • Hypothetical Scenario: An employee in an enterprise needs to access a file server and an email server. Once logged in, Kerberos allows them to access both without authenticating again due to the initial ticket they received.

Related Terms:

  • Ticket Granting Ticket (TGT): A special ticket that allows the user to obtain additional tickets for specific services within the network.
  • Key Distribution Center (KDC): The trusted third-party server that provides the authentication service and ticket granting service in Kerberos protocol.
  • Authentication Service (AS): Part of the KDC that authenticates the user and issues the TGT.

What is the OWASP Top 10: Download our flash cards to find out.

Inside you will find a description of the most common web vulnerabilities.

Contact us

Get a free, no obligation quote from one of our expert staff.

      Looking for reliable Penetration Testing? Use the contact form below and request a quote today.