Kerberos protocol

What is Kerberos protocol?

Kerberos is a protocol designed to provide authentication to client-server applications. It is basically a network authentication protocol, which uses symmetric cryptography for authentication. RFC 1510 – The Kerberos Network Authentication Service (V5) can be referred for the standard definition of Kerberos.

Architecture of Kerberos

Key Distribution Server, famously known as KDC, is at the core of the Kerberos. The function of Key Distribution server is to store authentication information and then use the same to secure and authenticate the users and servers.

The authentication process is called secure, as this process

  • does not occur in plain text
  • does not rely on host operating system authentication
  • does not base reliance on IP address
  • does not require any physical security for host of the network

Since the function of KDC is critical, its uses are many in number. Secret keys, user database info, server related information are stored in KDC. Clients of Kerberos are network applications, which use Kerberos for the purpose of authentication.

The Messages of Kerberos Protocol

KRBAS_REP Kerberos Authentication Service Reply
KRB_AS_REQ Kerberos Authentication Service Request
KRB_CRED Kerberos Credentials
KRB_AP_REQ Kerberos Application Request
KRB_TGS_REQ Kerberos Ticket Granting Service Request
KRB_AP_REP Kerberos Application Reply
KRB_SAFE Kerberos Safe (Checksummed) Application Message
KRB_TGS_REP Kerberos Ticket Granting Service Reply
KRB_ERROR Kerberos Error
KRB_PRIV Kerberos Private (Encrypted) Application Message

Implementation of Kerberos

Linux, DEC Unix, Solaris, Irix, Mac OS and Windows are supported by MIT Kerberos, which is a reference implementation.

There are also other commercial and non commercial Kerberos implementations available. Windows 2000 of Microsoft has a modified version of Kerberos v5.

Weakness of Kerberos

Every server and user on the network has a secret key in the KDC’s store, which must be kept completely secure. An attacker can get complete access to the Kerberos realm, if he/she gets the administrative access to the key distribution server. The tickets of Kerberos are cached on the systems of clients. If an attacker gets the administrative access to a client system of Kerberos, then he/she can impersonate an authenticated user of the system.

Encryption protocol of the Kerberos

DES algorithm is used by Kerberos for the purpose of encryption. MD-4, CRC-32, DES and MDS algorithm are supported by Kerberos for check sums. If need arises, then Kerberos can add more algorithms for check summing and encryption.

Related Posts