Protocol network icon


What is Kerberos?

Say you want to access an insecure network, but don't want your password shared across it. You could use Kerberos, a network authentication protocol developed by MIT, in order to verify your identity without exposing login information.

Named after the guard dog of Hades, Kerberos uses mutual authentication, requiring both the user and server to prove their identities.

How does Kerberos work?

While it is derived from symmetric key algorithms which use the same key for encryption as for decryption, Kerberos is capable of both symmetric and asymmetric cryptography.

Authentication is a complex process, but here is a simplified rundown:

  1. Client enters login information.
  2. The Kerberos client creates an encryption key and sends a message to the authentication server (AS).
  3. The AS uses this key to create a temporary session key and sends a message to the ticket granting service (TGS).
  4. TGS grants the client a ticket and server session key.
  5. Client uses these to authenticate with the server and get access.

What are common security vulnerabilities with Kerberos?

In 2017, researches found a vulnerability which had existed in Kerberos for more than twenty years. They were able to get Kerberos to send unencrypted tickets which could be used to bypass authentication, using the fact that Kerberos didn't encrypt the entirety of the tickets, but left some if it in plain text. This particular vulnerability has since been patched, but it still has vulnerabilities with several versions of Windows Server, Vista, and Windows 7, 8, and 8.1.