Meeting the 3 Headed Dog: Kerberos Authentication Basics

If you've been in the information security or network administration community for some period of time, chances are you've heard of Kerberos. Kerberos is the authentication protocol leveraged by most organizational networks today. Read on to find out more about the history behind Kerberos and how it works.


The Beast Awakens

Kerberos was developed at the Massachusetts Institute of Technology (MIT) in the 1980s. The objective of Kerberos was to enable secure authentication across an insecure network connection by leveraging cryptography. This allows the client and the server a secure way to identify each other to the other device without passing passwords across the network in cleartext.


Go Fetch...and Again...and Again...

So how does the protocol work? Let's say you have a client computer that's trying to access a resource on an Active Directory network. You have your client computer, the authentication server (also known as the Key Distribution Center or KDC), and the server on which the resource being accessed resides. There is a 6 step interaction that the client is privy to:



  1. The client computer reaches out to the KDC and provides information regarding the user that is trying to authenticate.

  2. The user is verified by the KDC, and the authentication server responds by providing a ticket granting ticket (TGT), which is encrypted using the client's password as the key.

  3. The client computer decrypts and uses the TGT to request a ticket granting service (TGS) ticket for a specific service or resource that it's attempting to access from the KDC.

  4. The KDC responds to the client computer by providing a TGS ticket.

  5. The client computer uses the TGS to show the resource server that it's been authenticated and has privileges to access the requested resource.

  6. The resource server verifies this information and grants access to the requested resource.

Anatomy of a TGT



Anatomy of a TGS




Taming the Dog: Ticket Attacks

Kerberos isn't impervious to attacks and circumvention. If you'd like to read more about tickets and how they can be abused, check out my other blog post: Precious Metals: Golden and Silver Ticket Attacks.


References

MIT Documentation

How Kerberos Works (BlackArrow)

Kerberos Authentication (TerminalWorks)

Ticket Granting Tickets (Microsoft)


73 views0 comments

Recent Posts

See All