Kerberos authentication is the default authorization technology used by Microsoft Windows, and implementations of Kerberos exist in Apple OS, FreeBSD, UNIX, and Linux. But how does it work and why it will stay the default?
The beginning and origin
First, let’s go back to the greek mythology where the name Kerberos appears for the first time. Kerberos or some of you might know him as Cerberus guards the Gates to the Underworld. He’s a big 3 headed dog and with a really bad temper. Because of it’s strong visual and history the name Kerberos was used by the MIT Computer Scientists Steve Miller and Clifford Neuman for their computer network authentication protocol.
Microsoft introduced their version of Kerberos in Windows 2000. Therefore it has become a standard for websites and Single-Sign-On implementations across all platforms. The founded Kerberos Consortium maintains Kerberos as an open-source project. The strong cryptography and third-party ticket authorization makes it much more difficult for cybercriminals to infiltrate your network and/or impersonate your users.
Kerberos has made the internet and its users more secure, and enables everybody to do more work on the Internet or office without compromising safety.
Kerberos In a nutshell
Basically, Kerberos comes down to this:
- a protocol for authentication
- uses tickets to authenticate
- avoids storing passwords locally or sending them over the internet
- involves a trusted 3rd-party
- built on symmetric-key cryptography
You have a ticket — your proof of identity encrypted with a secret key for the particular service requested — on your local machine; so long as it’s valid, you can access the requested service that is within a Kerberos realm. To fully understand the steps with Kerberos, have a look a this brief video.
Typically, this is used within internal environments. Perhaps you want to access your internal payroll site to review what little bonus you have received. Rather than re-entering your user/password credentials, your ticket (cached on your system) is used to authenticate allowing for single sign-on.
How do you authenticate with Kerberos?
Here are the most basic steps taken to
authenticate in a Kerberized environment
- The client requests an authentication ticket (TGT) from the Key Distribution Center (KDC)
- The KDC verifies the credentials and sends back an encrypted TGT and session key
- The TGT is encrypted using the Ticket Granting Service (TGS) secret key
- The client stores the TGT and when it expires the local session manager will request another TGT (this process is transparent to the user)
If the Client is requesting access to a service or
other resource on the network, this is the process
- The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access
- The KDC verifies the TGT of the user and that the user has access to the service
- TGS sends a valid session key for the service to the client
- Client forwards the session key to the service to prove the user has access, and the service grants access.
Kerberos exists for quite a while — is it obsolete?
Kerberos is far from obsolete and has proven itself. The primary advantage of Kerberos is the ability to use strong encryption algorithms to protect passwords and authentication tickets. Even with today’s computers, any attack of the encryption protocol used by the current version of Kerberos will take longer than our solar system has left to live. So, to be frank: Kerberos is going to be around for a while — We are pretty sure.
Is there a replacement for Kerberos?
There are no real competitors to replace Kerberos so far. Most of the advancements in security are to protect your password or provide a different method of validating who you are to Kerberos. Kerberos is still the back-end technology. Kerberos excels at Single-Sign-On (SSO), which makes it much more usable in a modern internet based and connected workplace. With SSO you prove your identity once to Kerberos, and then Kerberos passes your Ticket Granting Service to other services or machines as proof of your identity.
Kerberos authentication is the default authorization technology used by big players. Therefore Microsoft Windows uses it and implementations of Kerberos exists as well in Apple OS, FreeBSD, UNIX, and Linux.
What about Mobile?
Single-Sign on has always been a challenge on mobile phones. But Apple managed to provide a Single Sign-On solution since iOS V7. The second big player in the mobile operating system — Google’s Android — is left behind. Now that companies have to switch to Android Enterprise, because its predecessor is discontinued in 2019, the Android world is missing an important feature which used to work: The native Kerberos SSO. Therefore we at Hypergate have created a cross-enterprise mobility management solution, called Hypergate. This neat application closes the Kerberos Single Sign-On gap on Android Enterprise. Hypergate allows you to run a holistic BYOD strategy with no negative impact on security or infrastructure. Furthermore, this makes Android phones finally more attractive for businesses.
Get Truly Mobile
There is nothing more frustrating than trying to work in a flexible way from your mobile device, to then be reliant on having access to a computer to have to do something as simple, yet important as reset your password. With Hypergate Authenticator, you can allow staff to become truly mobile. They can access company resources they need securely. If there is an issue with the password of the user, this can be varied and changed by them, with ease.
Same user experience on a mobile device as a computer and no dependency for access management processes. Make technology your productivity enhancer, not the opposite. If you seek additional information how the investment bank Jefferies has optimised their infrastructure click here for the case study.
Hypergate Files
Is a very simple file browser that provides seamless access to on-premise network shares. Let your users collaborate freely with their teams and edit all files directly on their mobile devices. All file types are supported by their native apps, no special viewer, editor or custom implementation, just pure usability.
Hypergate Authenticator
Delivers a seamless and secure Single Sign-On solution integrating directly with Active Directory. The solution leverages industry standards like Kerberos to provide the best possible user experience without compromising on security. Save IT support costs by allowing your users to change or reset their expired passwords on their own devices, no computer needed.
