Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other’s identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. (Wikipedia)

This authentication method is found in Windows Servers and Linux servers and it is a ticket granting system very commonly used to authenticate users. Here are some of the main focus points for the CISSP Review

KERBEROS AUTHENTICATION PROTOCOL

KERBEROS FACTS
Ø         Defined as a trusted third-party authentication protocol.

Ø         The 3 components of Kerberos are:

1. Key Distribution Center (KDC): Holds users and service crypto keys – Get Key.

2. Authentication Service (AS):   Makes tickets and gives them to principals – Use Key.

3. Ticket Granting Service (TGS): Authenticates a principal – Gain Entry.

Ø         KERBEROS 3 PHASE / 6 STEP AUTHENTICATION PROCESS

FIRST PHASE – Client obtains credentials to request access to Kerberized services.

o          The client authenticates to a Kerberos Key Distribution Center (KDC), which interacts with realms to access authentication data. This is the only step in which passwords and associated password policy information needs to be checked.

o          The KDC issues the client a ticket-granting ticket, the credential needed when the client wants to use Kerberized services. The ticket-granting ticket is good for a configurable period of time, but can be revoked before expiration. It is cached on the client until it expires.

SECOND PHASE – Client requests authentication for a specific service.

o          The client contacts the KDC with the ticket-granting ticket when it wants to use a particular Kerberized service.

o          The KDC issues a ticket for that service.

FINAL PHASE – Client presents its credentials to the service.

o          The client presents the ticket to the service.

o          The service authenticates the client by verifying that the ticket is valid.

Ø         The authenticator within Kerberos provides a requested service to the client after validating a timestamp.

Ø         Because all the secret keys are held and authentication is performed on the Kerberos TGS and the authentication servers, these servers are vulnerable to both physical attacks and attacks from malicious code.

Ø         Kerberos is vulnerable to replay in which of the following circumstances when a ticket is compromised within an allotted time window.

Ø         The client decrypts the message containing the session key (KC, TGS) with its secret key (KC), and will now use this session key to communicate with the TGS client (sometimes refer to as resource or principal) he wishes to access.

Ø         The Key Distribution Center represents a single point of failure.

Ø         Kerberos manages access permissions.

Ø         Kerberos uses symmetric key cryptography, credential-based.

Ø         The KDC contains a database that holds private, (secret), not public, keys for all users.

Ø         Ticket-based system (using two separate tickets); employs MD5 and CRC-32 one-way hash functions, and also uses public key cryptography to distribute Secret keys.

Ø         Note: Like the Kerberos protocol, SESAME is also subject to password guessing.

Ø        PRINCIPALS are defined as the users, applications, and services that are provided security services by the KDC within the Kerberos network authentication protocol.