What is Kerberos?

[VelMurugan]

What is Kerberos?

Kerberos is a network authentication protocol which utilizes symmetric cryptography to provide authentication for client-server applications.

The Kerberos Standard Definition

Kerberos is defined in RFC 1510 - The Kerberos Network Authentication Service (V5).

The Kerberos Architecture

The core of a Kerberos architecture is the KDC (Key Distribution Server). The KDC stores authentication information and uses it to securely authenticate users and services.

This authentication is called secure because it:

    * Does not occur in plaintext
    * Does not rely on authentication by the host operating system
    * Does not base trust on IP addresses
    * Does not require physical security of the network hosts

The KDC acts as a trusted third party in performing these authentication services.

Due to the critical function of the KDC, multiple KDC's are normally utilized. Each KDC stores a database of users, servers, and secret keys.

Kerberos clients are normal network applications which have been modified to use Kerberos for authentication. In Kerberos slang, they have been Kerberized.

The Kerberos Protocol

Kerberos defines ten messages that make up the Kerberos protocol:

    KRB_AS_REQ   Kerberos Authentication Service Request
    KRBAS_REP   Kerberos Authentication Service Reply
    KRB_AP_REQ   Kerberos Application Request
    KRB_AP_REP   Kerberos Application Reply
    KRB_TGS_REQ   Kerberos Ticket Granting Service Request
    KRB_TGS_REP   Kerberos Ticket Granting Service Reply
    KRB_SAFE   Kerberos Safe (Checksummed) Application Message
    KRB_PRIV   Kerberos Private (Encrypted) Application Message
    KRB_CRED   Kerberos Credentiials
    KRB_ERROR   Kerberos Error

Kerberos Implementations

MIT Kerberos is the reference implementation. MIT Kerberos supports DEC Unix, Linux, Irix, Solaris, Windows and MacOS.

Several other commercial and non-commercial Kerberos implementations are also available.

Microsoft added a slight modified version of Kerberos v5 authentication in Windows 2000.

Kerberos Weaknesses

Because the KDC's store secret keys for every user and server on the network, they must be kept completely secure. If an attacker were to obtain administrative access to the KDC, he would have access to the complete resources of the Kerberos realm.

Kerberos tickets are cached on the client systems. If an attacker gains administrative access to a Kerbos client system, he can impersonate the authenticated users of that system.

Kerberos Encryption Protocols

Kerberos uses the DES algorithm for encryption. Kerberos also supports the CRC-32, MD4, MD5, and DES algorithms for checksums. Kerberos implementations are free to add additional algorithms for encryption and checksumming.