What is Kerberos?
Kerberos is one of the oldest authentication protocols in existence and it has been heavily used by Microsoft for authentication purposes for decades. Developed at MIT in the 1980's, it became an IETF Standard in 1993. Kerberos, so named as a reference to the three-headed dog from ancient Greek mythology, uses a three way authentication mechanism that inserts a trusted third party called the Key Distribution Center (KDC) into the authentication process. This KDC breaks down into two logical services called the Authentication Server (AS) and the Ticket Granting Server (TGS). The fundamental concept is to eliminate the need to send passwords over the network; instead a hash of the user's password is sent and checked on both sides of the connection.
Over the years Kerberos has undergone several revisions with the most current being Version 5, Release 1.18.3 released in November of 2020. Early versions of Kerberos used the now defunct 3DES encryption algorithm which was later replaced by the Advanced Encryption Standard (AES) as discussed in RFC3962. In 2008 shortly after the public release of TLS 1.2 the IETF began exploring the idea of using TLS 1.2 to enhance Kerberos security, since then support has been added though it does not come enabled by default.
How does Kerberos work?
While it is derived from symmetric key algorithms which use the same key for encryption as for decryption, Kerberos is capable of both symmetric and asymmetric cryptography.
Authentication is a complex process, but here is a simplified rundown:
- Client enters login information.
- The Kerberos client creates an encryption key and sends a message to the authentication server (AS).
- The AS uses this key to create a temporary session key and sends a message to the ticket granting service (TGS).
- TGS grants the client a ticket and server session key.
- Client uses these to authenticate with the server and get access.
What are common security vulnerabilities with Kerberos?
Attackers have continued to target Kerberos directly as a vector for theft or forgery of authentication material. Tactics such as Kerberos golden ticket attacks, silver ticket attacks, pass-the-ticket, and more have been used as privilege escalation mechanisms by savvy attackers.
In 2017, researches found a vulnerability which had existed in Kerberos for more than twenty years. They were able to get Kerberos to send unencrypted tickets which could be used to bypass authentication, using the fact that Kerberos didn't encrypt the entirety of the tickets, but left some if it in plain text. This particular vulnerability has since been patched, but it still has vulnerabilities with several versions of Windows Server, Vista, and Windows 7, 8, and 8.1.