What is Kerberos protocol?
Kerberos is a protocol designed to provide authentication to client-server applications. It is basically a network authentication protocol, which uses symmetric cryptography for authentication. RFC 1510 – The Kerberos Network Authentication Service (V5) can be referred for the standard definition of Kerberos.
Architecture of Kerberos
Key Distribution Server, famously known as KDC, is at the core of the Kerberos. The function of Key Distribution server is to store authentication information and then use the same to secure and authenticate the users and servers.
The authentication process is called secure, as this process
- does not occur in plain text
- does not rely on host operating system authentication
- does not base reliance on IP address
- does not require any physical security for host of the network
Since the function of KDC is critical, its uses are many in number. Secret keys, user database info, server related information are stored in KDC. Clients of Kerberos are network applications, which use Kerberos for the purpose of authentication.
The Messages of Kerberos Protocol
| KRBAS_REP | Kerberos Authentication Service Reply |
| KRB_AS_REQ | Kerberos Authentication Service Request |
| KRB_CRED | Kerberos Credentials |
| KRB_AP_REQ | Kerberos Application Request |
| KRB_TGS_REQ | Kerberos Ticket Granting Service Request |
| KRB_AP_REP | Kerberos Application Reply |
| KRB_SAFE | Kerberos Safe (Checksummed) Application Message |
| KRB_TGS_REP | Kerberos Ticket Granting Service Reply |
| KRB_ERROR | Kerberos Error |
| KRB_PRIV | Kerberos Private (Encrypted) Application Message |
Implementation of Kerberos
Linux, DEC Unix, Solaris, Irix, Mac OS and Windows are supported by MIT Kerberos, which is a reference implementation.
There are also other commercial and non commercial Kerberos implementations available. Windows 2000 of Microsoft has a modified version of Kerberos v5.
Weakness of Kerberos
Every server and user on the network has a secret key in the KDC’s store, which must be kept completely secure. An attacker can get complete access to the Kerberos realm, if he/she gets the administrative access to the key distribution server. The tickets of Kerberos are cached on the systems of clients. If an attacker gets the administrative access to a client system of Kerberos, then he/she can impersonate an authenticated user of the system.
Encryption protocol of the Kerberos
DES algorithm is used by Kerberos for the purpose of encryption. MD-4, CRC-32, DES and MDS algorithm are supported by Kerberos for check sums. If need arises, then Kerberos can add more algorithms for check summing and encryption.
