Kerberos is a network authentication protocol developed by Massachusetts Institute of Technology that provides strong authentication between client and server using cryptography in an open unprotected network.
Key Aspects of Kerberos
- Provides network authentication between the principals client and server.
- 3rd party based authentication framework.
- Cryptography based authentication using symmetric keys.
- Provides Single Sign On seamless authentication.
- Uses cryptography-based tickets for authentication and authorization for granting access.
Architecture
Key Distribution Center (KDC) is the core component of Kerberos which acts as the 3rd Party Authentication providing Central Authentication to the domain (realm) for which it is providing the network authentication service. KDC has the two sub-components – Authentication Server (AS) and Ticket Granting Server (TGS).
Authentication Server (AS) verifies the user and provides Ticket Granting Ticket (TGT) upon successful authentication.
Ticket Granting Server (TGS) provides the Service Ticket for accessing the Application Server.
Application Server (AP) is the server that provides the service to the clients.
Ticket Granting Ticket (TGT) is the credential obtained from the Authentication Server (AS) that the client uses to authenticate to the Ticket Granting Server (TGS).
Service Ticket (ST) is credential obtained from the Ticket Granting Server (TGS) that the client uses to authenticate to the Application Server (AP).
Client Principal is the endpoint that would need access a service in the domain.
Server Principal is the system that is providing the service in the domain.
Kerberos Exchange
Authentication Service Exchange
AS-REQ (Authentication Service Request)
- The client logs into domain and starts the authentication process by sending Authentication Service Request (AS-REQ) to the Authentication Server (AS) requesting for authentication and credential Ticket Granting Ticket (TGT).
- The client sends the identity (username) and a timestamp encrypted with it’s NTLM password hash.
- The AS verifies the identity of the client against the Database and extracts the client’s NTLM password hash.
- The AS decrypts the encrypted timestamp with the client’s NTLM password hash. The timestamp is used to check for replay attacks.
AS-REP (Authentication Service Reply)
- The AS sends the Client/TGS Session Key encrypted with the client’s NTLM password hash.
- The AS also sends the credentials which consist of the Ticket Granting Ticket (TGT) and client ID encrypted with the TGS’s secret Key. Only the TGS can decrypt this ticket.
- The client extracts Client/TGS Session key with it’s client NTLM password hash. Only, if the client has the actual password hash, it can decrypt and hence this authenticates the client.
- This concludes the mutual authentication between Client and AS.
- The client is now authenticated into the domain.
Ticket-Granting Service (TGS) Exchange
TGS-REQ (Ticket Granting Service Request)
- The client sends the encrypted TGT and the Service ID for which it needs access to the TGS.
- The client also sends the authenticator (client ID and timestamp) encrypted with the Client/TGS session key.
- The TGS decrypts the encrypted TGT with it’s secret key and gets the Client/TGS Session Key and Client ID.
- Using the Client/TGS Session key, the TGS decrypts the Authenticator which has the client ID and timestamp.
- The TGS compares the client ID from the TGT and Authenticator. Both are compared and validated.
- The timestamp is validated to make sure, the message is not replayed.
TGS-REP (Ticket Granting Service Response)
- The TGS sends the Service Ticket encrypted with the Application Server Secret key.
- The TGS also sends the Client/Server Session key encrypted with the Client/TGS Session key.
- The client decrypts this message using the Client/TGS Session key and gets the Client/Server Session key.
- This concludes the mutual authentication between Client and TGS.
Client/Server Authentication Exchange
AP-REQ (Application Service Request)
- The client sends the encrypted Service Ticket to the Application Server (AP) with the client ID.
- The client also sends the Authenticator which has timestamp, client ID encrypted using the Client/Server session key.
- The AS decrypts the Service Ticket with it’s secret key and gets the Client/Server Session Key.
- The AS decrypts the Authenticator using the Client/Server Session Key, gets the Client ID and compares with the client ID, it got with the Service ticket. The timestamp is validated to make sure, the message is not replayed.
AP-REP (Application Service Response)
- Upon successful authentication, the AP sends the obtained timestamp encrypted to the client.
- The client gets the encrypted message, decrypts with the Client/Server session key and compares the timestamp. If it matches, then it trusts that the message was sent by the destined Application Server.
- The client starts accessing the service from the AS.
Reference