Kerberos is an authentication protocol used by client-server applications on unsecure networks. It was developed at MIT as a part of Project Athena. Version 5 is the latest version of this protocol. RFC 1510 is the IETF standard for Kerberos V5. Kerberos is also the name of a three-headed dog in Greek mythology.
Kerberos allows a user to connect to a remote service without transmitting username and password through the network. It is used where the users are not restricted through firewalls.
Kerberos is now implemented in almost all operating systems. In Windows, it may be used along with Active Directory which maintains the user accounts.
When a user has to use a service from another domain, his authentication is verified by the Key Distribution Center (KDC). KDC is a service which is present on the client’s local domain which provides Authentication Service (AS) and Ticket Granting Service (TGS). The user provides username and password to AS by login. AS refers to Active Directory to authenticate the user.
After the user is verified, AS returns a Ticket to Grant Ticket (TGT) and a session key. DES is used in Kerberos to encrypt the TGT and the session key. TGT is encrypted with a secret key which is known only to the TGS. The session key is encrypted with user’s password. TGT remains valid for 8 to 10 hours and is cached on client’s volatile memory. TGT also contains data such as client’s name, authorization data etc.
TGT along with session key is passed to the TGS which decrypts and validates it. TGS uses the session key to check for replay of the tickets. After validating TGT, TGS returns a service ticket and session key to the client. This service ticket is encrypted with the session key sent by AS. It is used by client to access the service on another domain and it is also cached in client’s volatile memory.
The service ticket is used by the remote server to authenticate user on the client. It is valid upto a certain time limit. It is attached to the user’s log-on session and it is passed along with the session key sent by TGS to the remote service during each request.
The remote server may return a timestamp to the client encrypted with session key sent by TGS. This way mutual authentication is established between client and server.
These authentication steps may be more complex or may vary in operating systems. However, they are performed transparently with the client user login.
While authenticating users between different domains a referral ticket is used. For example, if a user of domain1.com has to access a service in domain3.com and there is no trusted relationship between these domains then they can use a mutual trusted domain. If let’s say, domain1.com has a trusted relationship with domain2.com and domain2.com has a trusted relationship with domain3.com, then user of domain1.com will connect to KDC of domain2.com using the referral ticket obtained from TGS of domain1.com. The TGS of domain2.com will provide a referral ticket to access domain3.com. The client will then use this referral ticket from TGS of domain2.com and pass it to KDC of domain3.com. The referral tickets are shared hierarchically across domains. A domain can share the referral ticket with its parent as well as child domains.
In this way, Kerberos provides authentication without the transmission of password across different domains. Password strength plays an important role and strong passwords need to be used. An attacker can impersonate the user if weak passwords are used.