Kerberos Part 1 - What is it and how does it work?

In the cybersecurity world, Kerberos is used for identity verification. It is also the name of the three-headed dog guarding the gates of Hades (Hell) in Greek mythology. In the case of the technology, the three heads are represented by the client, the server, and the Key Distribution Center (KDC). Understanding and protecting Kerberos is critical for cybersecurity.

What is Kerberos?

Kerberos is a network authentication protocol designed to verify the identity of users, services, and machines before granting access to resources. It was developed by the Massachusetts Institute of Technology (MIT) in the late 1980s. Although it has been around for a long time, it is found in almost every operating system, of which Active Directory (AD) is the most common implementation.

The Kerberos Consortium maintains Kerberos as an open-source project. Microsoft has implemented it based on Kerberos Network Authentication Service (V5) standard while adding extensions and continues to update it frequently given its importance in security.

How does Kerberos Work?

All steps of the Kerberos authentication process use secret-key cryptography to help prevent playback, eavesdropping or tampering.

Authentication Process: When a user logs into AD, they provide their credentials, such as their username and password. The client machine contacts the Key Distribution Center (KDC) to request a “ticket-granting ticket” (TGT). In AD, every Domain Controller (DC) performs the KDC role by providing both the authentication service and the “ticket granting service” (TGS).

Ticket-Granting Ticket (TGT): The TGT serves as a token that allows the user to request access to various services without repeatedly having to enter their password. The TGT is encrypted using the user’s password to ensure its security during transmission.

Service Tickets: When the user needs access to a specific resource, the client machine uses the TGT to request a “service ticket” from the KDC TGS. This service ticket is then presented to the relevant service and, if valid, grants access without the need for password re-entry.

Kerberos is designed to provide enhanced security by:

• Strong authentication – encrypted communications, no clear text passwords.

• Ticket expiration – Issued tickets have a limited valid lifetime.

• Mutual authentication – Both the client and the service verify each other’s identities, to help prevent the impersonation of legitimate users or services.

Kerberos is generally considered to be secure though like any security measure there are some methods that can be used to defeat it. In part 2 of the blog post we will examine some of those methods and steps you can take to minimize your risk.