The Kerberos protocol enables different machines and devices to exchange information continuously and securely. Without a robust protocol such as Kerberos authentication, this information is vulnerable to unauthorized access and even manipulation—for example, with a man-in-the-middle attack.
Various organizations have developed their own authentication protocols. An authentication protocol allows one user, device, or system to verify the identity of another user, device, or system that wants to communicate with it. After the two entities authenticate each other’s identity, they can rest assured that their communications will not be intercepted or tampered with by malicious attackers.
One such authentication protocol is Kerberos. So, what is Kerberos authentication, exactly, and how does the Kerberos protocol differ from other alternatives? We’ll go over everything you need to know in this guide to Kerberos security.
What is Kerberos?
Kerberos is an authentication protocol that facilitates secure communication between two machines or devices on a network (MIT, 2023). Initially developed at the Massachusetts of Technology in the late 1980s, Kerberos has since become one of the most popular authentication protocols. The current version of Kerberos, version 5, was first released in 1993.
What is Kerberos Used For?
All the major modern operating systems—Windows, macOS, and Linux—include support for the Kerberos protocol. In particular, Kerberos is the default authentication protocol used by Windows Active Directory, a directory service, and database that helps users locate resources on a computer network (Microsoft, 2021). Kerberos can be used for a wide range of applications, including:
- User authentication: Kerberos can verify users’ identities on a computer network before they are granted access to privileged resources and systems.
- Single Sign-On (SSO): Kerberos can be used to implement SSO functionality, allowing users to authenticate their identities only once instead of each time they access a new resource.
- Resource access control: System administrators can strategically deploy Kerberos to enforce IT access control policies, limiting users’ access to certain resources based on their identities.
What is the Kerberos Protocol?
The main concept used in the Kerberos protocol is that of a “ticket”: a data structure that holds information used to authenticate users and devices (IBM, 2021). A ticket serves as proof that the Kerberos server has authenticated a user and contains data such as the user ID, the IP address, and the length of time the ticket is valid.
Fans of Greek mythology might realize that the Kerberos protocol shares its name with Kerberos (or Cerberus), the three-headed dog that guards the entrance to the underworld. In fact, the Kerberos protocol got its name from the three-pronged security model it uses. The three main components of Kerberos are:
- The client, i.e., the user or device that seeks authentication to access restricted network resources or systems.
- The Kerberos authentication server that is responsible for initially authenticating users’ identities and providing ticket-granting tickets (TGTs). TGTs are small, encrypted data files that can be used to request access to other network resources.
- The ticket granting server (TGS) that accepts TGTs from users and provides additional tokens for users to access a specific resource or service.
How is Kerberos Different from Other Protocols?
Of course, Kerberos is just one of many possible authentication protocols that devices can use for secure communication. Alternatives to Kerberos include NTLM, LDAP, and RADIUS. So how is Kerberos different from these other protocols?
- NTLM is a suite of security protocols from Microsoft to help authenticate users’ identities on a network, mainly in Windows environments. While Microsoft still supports NTLM, it has largely been replaced by Kerberos for use cases such as Active Directory due to certain security vulnerabilities.
- LDAP is a protocol mainly used for accessing and managing directory services. Unlike Kerberos, LDAP uses centralized authentication: credentials such as username and password are stored in a single location, which means that users have to reenter these credentials every time they access a new service.
- RADIUS is a security protocol that provides centralized authentication, authorization, and accounting (AAA) for users’ access to a computer network. RADIUS offers authentication at a specific point in the network but cannot grant further authentication to specific resources and services, as Kerberos does.
Is Kerberos Secure?
Before you start using the Kerberos authentication protocol, you should be familiar with the topic of Kerberos security. Kerberos is generally considered a secure protocol and has largely replaced more insecure alternatives such as NTLM.
Unfortunately, no authentication protocol can be entirely foolproof, and the same is true of Kerberos. The Kerberos protocol is vulnerable to attacks such as:
- Kerberoasting: In a “Kerberoasting” attack, malicious actors attempt to crack the passwords of service accounts, which are special accounts used to authenticate and authorize specific network services or applications. The attacker requests a Kerberos service ticket and then tries to break into this account by using offline password-cracking techniques, helping avoid detection.
- Golden ticket attacks: In a “golden ticket” attack, malicious actors attempt to forge a special TGT (called a “golden ticket”). This golden ticket is obtained by stealing the password to the KRBTGT account, a special account that controls the Key Distribution Center (KDC) database. The attacker can then generate valid TGTs using this “golden ticket,” allowing users unlimited access to any resources or services on the network.
- Silver ticket attacks: In a “silver ticket” attack, malicious actors attempt to forge a TGS (called a “silver ticket”). This type of attack requires the attacker to already have seized control of a target system (for example, through a malware infection). Once the attacker has administrative access to the system, a forged TGS “silver ticket” can be created, letting the attacker impersonate that system. As the name suggests, silver ticket attacks are more limited in scope than golden ticket attacks—they are restricted to only a single application or service.
How Can Kerberos Vulnerabilities Be Mitigated?
Despite its widespread usage, Kerberos has its share of vulnerabilities. The good news is that various ways exist to address these weaknesses and improve Kerberos security. To help mitigate Kerberos vulnerabilities, follow tips and best practices such as:
- Implement strong password policies: Kerberos vulnerabilities, such as “golden ticket” attacks, rely on the attacker’s ability to crack the password. The more challenging this password is to crack, the harder a successful attack will become. Organizations should encourage users to use long and complex passwords that cannot be easily guessed through brute force.
- Apply security updates regularly: All Kerberos systems, especially the Key Distribution Center (KDC), should be regularly updated with the latest security upgrades. This helps fix known security flaws, strengthening the network infrastructure and limiting the number of potential entry points for attackers.
- Deploy monitoring and intrusion detection tools: Many Kerberos vulnerabilities rely on the ability of attackers to move undetected throughout the network. When a cyberattack begins, organizations should be alerted as soon as possible to take preventive measures. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help identify and block suspicious activity, putting an end to cyberattacks before they get off the ground.
- Use the principle of least privilege: In cybersecurity, the “principle of least privilege” is the concept that users should be granted access only to the specific resources and services they require—and no more. This helps restrict the movement of attackers if they manage to seize control of a user account. Organizations should implement the principle of least privilege when assigning permissions within the Kerberos realm.
How C|PENT Can Help with Kerberos
Despite certain limitations and vulnerabilities, the Kerberos authentication protocol remains widely used today. This means that cybersecurity professionals should familiarize themselves with Kerberos and other authentication protocols as part of their work to protect digital assets.
EC-Council’s Certified Penetration Testing Professional (C|PENT) program teaches students about authentication protocols such as Kerberos—as well as how to attack them with techniques such as Kerberoasting. The C|PENT course includes 40 hours of instruction across 14 in-depth modules about the essential penetration testing concepts.
References
IBM. (2021). The Kerberos ticket. https://www.ibm.com/docs/en/sc-and-ds/8.1.0?topic=concepts-kerberos-ticket
Microsoft. (2021). Kerberos Authentication Overview. https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
MIT. (2023). Kerberos: The Network Authentication Protocol. https://web.mit.edu/kerberos/
About the Author
David Tidmarsh is a programmer and writer. He’s worked as a software developer at MIT, has a B.A. in history from Yale, and is currently a graduate student in computer science at UT Austin.