Kerberos Protocol
What is Kerberos?
Kerberos is a network authentication protocol, which is primarily used to enable users and services on a network to verify their identity.
When a user logs into their PC, Kerberos is used to authenticate them via mutual authentication. Both the user and the server verify their identity. Kerberos is a stateless authentication protocol it is based on tickets instead of transmitting user passwords over the network.
What is Kerberos authentication?
Kerberos authentication is a protocol that allows computers and services to verify each other's identity over networks that aren't secure (like the internet). The key feature is that it does this without ever sending passwords across the network, which makes it much safer.
It's considered a fundamental protocol in modern network security. Kerberos works using symmetric key cryptography, which means the same secret key is used to both encrypt and decrypt information. This requires a trusted third party (the KDC) to act as a mediator between the client and the services they want to access.
In simple terms: Kerberos lets you prove who you are to access different services on a network without exposing your password, and it relies on a central trusted authority to make this happen securely.
Networks that aren't secure
Networks that aren't secure (also called "untrusted networks") are networks where data can potentially be intercepted, read, or modified by attackers. Examples include:
The Internet - The most common untrusted network. Data traveling across the internet passes through many routers and servers you don't control, so attackers could potentially intercept it.
Public Wi-Fi - Coffee shops, airports, hotels, etc. Anyone else on that network could try to spy on your traffic.
Shared networks - Any network where multiple users or organizations share the same infrastructure, and you can't guarantee everyone is trustworthy.
Why this matters for Kerberos:
On these untrusted networks, if you sent your password in plain text (or even poorly encrypted), someone could capture it and use it to impersonate you. That's why Kerberos was designed to never send passwords over the network - instead, it uses encrypted tickets that prove you've already been authenticated, so even if someone intercepts the ticket, they can't use it to steal your actual password.
The Kerberos protocol flow
The main components used for the Kerberos protocol flow are symmetric key cryptography and a key distribution center (KDC). The KDC has three primary elements:
Authentication server (AS) :- handles the initial authentication when a user requests access to a service and issues them tickets
Ticket-granting server (TGS):-accepts authenticated clients and connects a user with the requested service server (SS)
Kerberos database:-stores the identifiers for all verified users
Note that all the tickets issued by the KDC are time limited.
The Kerberos protocol flow functions through a series of interactions between the client, the server, and the KDC. For each session, an encrypted ticket ( session key) is generated and stored on the requesting user’s device. The requested service uses this to authenticate the requestor rather than using passwords.
There are roughly four steps in the Kerberos protocol flow. This flow ensures that the user’s password is never transmitted over the network, protecting it from potential interception.
1. Kerberos initial authentication service request A user initiates a login attempt, requesting authentication from the KDC’s authentication server (AS) with a Kerberos authentication service request message. This request includes the User Principal Name or UPN (user’s identifier), but not their password, and the ticket validity period with its expiration details. This is encrypted using the user’s password hash, and the AS generates a ticket-granting ticket (TGT).
2. Kerberos ticket-granting ticket (TGT) issuance When the services request is received from the AS, the KDC attempts to decrypt the message using the user’s password hash. If the message is successfully decrypted and the timestamp has not expired, the AS generates a session key and TGT, which are sent to the client to be used for encrypting subsequent requests. The TGT includes the client’s ID, network address, and validity period. The user’s system uses the password to decrypt the session key, but the TGT is encrypted with the TGS’s secret key.
3. Kerberos service ticket request The client then sends a request to the TGS. This request includes the encrypted TGT received previously, and a service request encrypted with the session key. The service decrypts the ticket with its secret key and attempts to verify its validity. If the server can successfully decrypt the service ticket and authenticate the request, it confirms the client’s identity and grants access.
4. Kerberos service access Once authenticated, the client presents the service ticket to the server. If the server can successfully decrypt the service ticket, it grants access to the client.
How does Kerberos authentication work :- Overview
Kerberos uses symmetric encryption (where the same secret key encrypts and decrypts data) combined with a trusted third party called the Key Distribution Center (KDC). The KDC acts as the central authority that verifies who you are and gives you permission to access services.
The KDC has two main components:
Authentication Server - Issues the initial ticket proving you're authenticated
Ticket-Granting Server - Issues tickets for specific services you want to access
These tickets are encrypted with session keys and serve as your proof of identity, so you don't have to keep sending your password.
The authentication process works like this:
When you want to access a service, you first contact the KDC's authentication server and get an initial ticket. Then, using that initial ticket, you request another ticket from the ticket-granting server specifically for the service you want to use. This service ticket, along with a session key, allows you and the service to communicate securely.
Kerberos TGT Authentication Process
Overview
The Ticket Granting Ticket (TGT) is the first step in Kerberos authentication, allowing users to prove their identity to the Key Distribution Center (KDC).
Authentication Steps
Step 1: TGT Request Initiation - The user sends a request to the KDC asking for a Ticket Granting Ticket - This is the initial contact in the Kerberos authentication process
Step 2: Identity Verification Request - The KDC receives the request and responds by requesting identity verification - The KDC does not immediately issue a TGT without proper authentication
Step 3: Timestamp Encryption - The user encrypts the current timestamp using their NTLM hash - The NTLM hash acts as the user's secret key - This encrypted timestamp serves as proof of identity
Step 4: Encrypted Timestamp Submission - The user sends the encrypted timestamp back to the KDC - This encrypted data can only be decrypted by someone with access to the correct NTLM hash
Step 5: Decryption and Verification - The KDC attempts to decrypt the timestamp using the stored NTLM hash associated with the user's account - The KDC has access to all users' NTLM hashes in its database
Step 6: TGT Issuance - If decryption is successful: The user's identity is verified and the KDC issues the TGT - If decryption fails: Authentication fails and no TGT is issued
Can Kerberos Be Hacked?
Yes. Because it is one of the most widely used authentication protocols, hackers have developed several ways to crack into Kerberos. Most of these hacks take advantage of a vulnerability, weak passwords, or malware – sometimes a combination of all three. Some of the more successful methods of hacking Kerberos include:
Pass-the-ticket: the process of forging a session key and presenting that forgery to the resource as credentials
Golden Ticket: A ticket that grants a user domain admin access
Silver Ticket: A forged ticket that grants access to a service
Credential stuffing/ Brute force: automated continued attempts to guess a password
Encryption downgrade with Skeleton Key Malware: A malware that can bypass Kerberos, but the attack must have Admin access
DCShadow attack: a new attack where attackers gain enough access inside a network to set up their own DC to use in further infiltration
Last updated