• Kerberos is a centralized authentication service whose function is to authenticate users to servers and vice versa.
• Kerberos is an authentication service developed at Massachusetts Institute of Technology, USA for open network computing environments.
• Kerberos is based on following ideas: When you log in through Kerberos, central server uses your user ID and password to create a token, which is matched against a private token on the server which you are authenticating.
• These tokens are called as tickets.
• Kerberos tickets: A ticket is unforgettable, nonreplayable and an authenticated message sent to requesting application.

• Once the Kerberos grants you the tickets, you do not need to login again every time you communicate with the server.

• Kerberos uses two types of tickets in authentication process:

  i. Ticket Granting Ticket(TGT)

  ii. Service Tickets.

• Authentication Process:

  i. At the initial stage, a session is established with the Kerberos server.

  ii. The client authenticates itself to the Kerberos server which forwards the user’s identity to a Key Distribution Center (KDC).

  iii. If the user is authorized, Kerberos server issues two messages:

  a. A session key(Sg) which is used in communication with ticket granting server(G) and a ticket granting ticket(TGT) for ticket granting server, which is time stamped. This is encrypted under user’s password, i.e. E(Sg + TGT, Pwd) and sent to user’s workstation.

  b. A copy of the session key(Sg) and user’s identity is sent to the ticket granting server. This is encrypted using a key shared between Kerberos server and ticket granting server.

  iv. Now, the user is authenticated if and only if user can decrypt E

  (Sg + TGT, Pwd) by Pwd, the password of user.

  v. User Id and password remain secure, since they are never sent over the network.

  vi. This authentication process is shown as follows:

vii. Now, whenever user wants some services from distributed system, the session key Sg can be used.

viii. For e.g. using this Sg, user requests a ticket from ticket granting server to access a file.

ix. The ticket granting server then verifies if user is authorized and returns a ticket along with session key(SF) for the file server as shown in figure below:

x. The ticket contains authentication information about user and the information about file which is to be accessed. It also contains an expiration date to prevent replay attack.

• Advantages of Kerberos:

  i. Faster authentication -The Kerberos protocol uses a unique ticketing system that provides faster authentication:

  ii. Mutual authentication - Kerberos supports mutual authentication. This means that the client authenticates to the service that is responsible for the resource and that the service also authenticates to the client. This is a big difference from NTLM.

  iii. Kerberos is an open standard - Microsoft based its Kerberos implementation on the standard defined in RFC 1510 (this is Kerberos Version 5). This is why Kerberos can provide single sign-on (SSO) between Windows Server 2003 and other OSs supporting an RFC 1510-based Kerberos implementation.

  iv. Support for authentication delegation - Authentication delegation can be looked at as the next step after impersonation: Thanks to impersonation, a service can access local resources on behalf of a user; thanks to delegation, a service can access remote resources on behalf of a user.

• Drawbacks and Limitations:

  i. Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, new users cannot log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms.

  ii. Kerberos has strict time requirements, which means the clocks of the involved hosts must be synchronized within configured limits. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail.

  iii. The administration protocol is not standardized and differs between server implementations. Password changes are described in RFC 3244.

  iv. In case of symmetric cryptography adoption (Kerberos can work using symmetric or asymmetric (public-key) cryptography), since all authentications are controlled by a centralized key distribution center (KDC), compromise of this authentication infrastructure will allow an attacker to impersonate any user.

  v. Each network service which requires a different host name will need its own set of Kerberos keys. This complicates virtual hosting and clusters.

  vi. Kerberos requires user accounts, user clients and the services on the server to all have a trusted relationship to the Kerberos token server (All must be in the same Kerberos domain or in domains that have a trust relationship between each other).

  vii. The required client trust makes creating staged environments (e.g., separate domains for test environment, pre-production environment and production environment) difficult: Either domain trust relationships need to be created that prevent a strict separation of environment domains or additional user clients need to be provided for each environment.