What is kerberos and how does kerberos work

In this post we will try to understand some basic concepts of Kerberos. Before biginning with this post it will be an added advantage, to go through needham-schroeder-protocol.

Kerberos is an authentication system developed as part of athena project in MIT. Kerberos uses a trusted third party or call a middle man server, for authentication. And kerberos is based upon needham-schroeder-protocol.

From the different versions available in kerberos, version 1 to 3 were never released for public use as they were mainly internal releases. Version 4 and 5 were released, and due to some security flaw in version 4 its seldom used these days. So we will be discussing kerberos version 5 throughout our tutorial/documentation section. As of now the latest version of kerberos is version 5 Release 1.10.3.

Kerberos was designed to mitigate the following problems in network security:

• Password Sniffing
• Password database stealing.

Password and login credential is centralized in kerberos infrastructure, which prevents clients from storing passwords on their machines.

Protocol weaknesses due to unencrypted data transfer on some network services can be reduced with the help of kerberos.

Disadvantages of Kerberos:

• In kerberos infrastructure user login credentials are stored in the central server as mentioned before. So its a tedious job to migrate all login credentials from local machines /etc/passwd and /etc/shadow files to the central server.
• If some attacker gets access to the central server, the entire infrastructure will be under threat.
• the applications that can be protected using kerberos must have kerberos functionality inbuilt into them. There are many application programs currently without the support for kerberos.

Lets Learn some of the common terms used in Kerberos infrastructure.

1. GSS-API : this is the API that must be present in application programs, to be compatible with Kerberos.
2. KDC: Key distribution Centre, this will be the server which we call the middle man server or the central server arbitrator, which issues the keys for the communication.
3. REALM: a kerberos network identified by a name, mostly this is the domain name in all caps.
4. Principal: this is the name used by the kerberos central server to call users, service name etc.
5. TGS: Ticket Granting Server: this is mostly the same central server (KDC server), it grants the tickets for a service.
6. TGT: A special ticket which contains the session key for communication between the client machine and the central KDC server.

How it Works?

Step1: When the user logins to his or her machine. The principal, is sent to KDC server for login, and the KDC server will provide TGT in return(this request to the KDC server can be sent by the login program or we can also use kinit program) .

Step2: Kdc server searches the principal name in the database, on finding the principal, a TGT is generated by the KDC, which will be encrypted by the users key, and send back to the user.

Step3: When the user gets the TGT, the user decrypts the TGT with the help of KINIT(with help of the users key).

An important fact to note here is that, the client machine stores its key on its own machine only and this is never transmitted over wire.

Step4: The TGT recieved by the client from the KDC server will be stored in the cache for use for the session duration. There will always be an expiration time set on the TGT offered by the KDC server, so that an expired TGT can never be used by an attacker.

Step5: Now the client has got TGT in hand. If suppose the client needs to communicate with some service on that network, the client will ask the KDC server, for a ticket for that specific service with the help of TGT.

The above mentioned things will become much more clear after we start working with kerberos.In the Next post we will be installing and working with kerberos!!