FREE PRODUCT DEMO | DOWNLOADS | FORTICLOUD LOGIN

Support & FORTIGUARD THREAT

Products Solutions More »
Services LABS INTELLIGENCE

Kerberos
Authentication

PROTECT WEB APPLICATIONS AGAINST ZERO1DAY

THREATS

Kerberos Authentication Definition

Traditionally, when users access computer systems, they do so by entering a password. The
challenge with this authentication method is that if hackers obtain the password, they can take on
the user's identity and gain access to an organization's network. Organizations need a better way to
protect their systems and users. This is where Kerberos comes in.

A Kerberos is a system or router that provides a gateway between users and the internet. Therefore,
it helps prevent cyber attackers from entering a private network. It is a server, referred to as an
“intermediary” because it goes between end-users and the web pages they visit online.

What Is Kerberos?

In mythology, Kerberos (also known as Cerberus) is a large, three-headed dog that guards the gates
to the underworld to keep souls from escaping. In our world, Kerberos is the computer network
authentication protocol initially developed in the 1980s by Massachusetts Institute of Technology
MMITN computer scientists. The idea behind Kerberos is to authenticate users while preventing
passwords from being sent over the internet.

Kerberos emerged at the same time as Domain Name System MDNSNR1983—so it has been around
:
 for a while. Originally, it was designed for MIT's educational project called Project Athena, but today,
it supports a large breadth of function, including single sign-on MSSON implementations, and serves as
the go-to authentication protocol for websites. Many popular operating systems, including Windows,
have Kerberos built in. Kerberos is a widely used service that, like DNS, most users are not even
aware they are using.

Kerberos is a credible security solution for four main reasons:

It Is Mature

Kerberos has been in use for a while, which in terms of security, says a lot about its effectiveness.

It Meets Modern Distributed System Requirements

Kerberos meets the requirements of modern distributed systems. It enables secure authentication
within open environments with insecure communication links.

It Is Architecturally Sound

The sound, well-designed architectural foundations of Kerberos allow it to evolve and integrate with
other systems.
:
 It Is Integrated Into Popular Operating Systems

Kerberos is already integrated into popular operating systems and software applications and has
become a critical component of IT infrastructure. It is the default authorization technology in
Microsoft Windows. It uses third-party ticket authorization and strong cryptography to make it harder
for hackers to gain access to a corporate network. With Kerberos, organizations can access the
internet without having to worry about compromising their safety.

How Does Kerberos Authentication Work?

Kerberos provides a credible security solution for businesses of all sizes. But how does Kerberos
authentication work, exactly?

Kerberos uses symmetric key cryptography and a key distribution center MKDCN to authenticate and
verify user identities. A KDC involves three aspects:

!" A ticket-granting server MTGSN that connects the user with the service server MSSN
$" A Kerberos database that stores the password and identification of all verified users
%" An authentication server MASN that performs the initial authentication

During authentication, Kerberos stores the specific ticket for each session on the end-user's device.
Instead of a password, a Kerberos-aware service looks for this ticket. Kerberos authentication takes
place in a Kerberos realm, an environment in which a KDC is authorized to authenticate a service,
host, or user.

Kerberos authentication is a multistep process that consists of the following components:

!" The client who initiates the need for a service request on the user's behalf
$" The server, which hosts the service that the user needs access to
%" The AS, which performs client authentication. If authentication is successful, the client is issued
a ticket-granting ticket MTGTN or user authentication token, which is proof that the client has
been authenticated.
&" The KDC and its three components: the AS, the TGS, and the Kerberos database
'" The TGS application that issues service tickets

Benefits of Kerberos Authentication

:
 There are some key advantages to using Kerberos as an authentication service.

Access Control

The Kerberos authentication protocol enables effective access control. Users benefit from a single
point for keeping track of all logins and the enforcement of security policies.

Mutual Authentication

Kerberos authentication allows service systems and users to authenticate each other. During all
steps of the process, the user and the server will know that the counterparts that they are interacting
with are authentic.

Limited Ticket Lifetime

Each ticket in Kerberos has timestamps and lifetime data, and the duration of authentication is
controlled by admins.

Reusable Authentication

Kerberos authentication is durable and reusable. Each user will only have to be verified by the system
once. Then throughout the lifetime of the ticket, the user can authenticate without the need to
reenter personal information.

Security
:
 Multiple secret keys, third-party authorization, and cryptography make Kerberos a secure verification
protocol. Passwords are not sent over the networks, and secret keys are encrypted, making it difficult
for attackers to impersonate users or services.

What Are the Weaknesses of Kerberos?

Kerberos is an effective method for managing security threats. However, there are some challenges.
Some of the more prevalent weaknesses include:

Single Point of Failure

Multiple secret keys, third-party authorization, and cryptography make Kerberos a secure verification
protocol. Passwords are not sent over the networks, and secret keys are encrypted, making it difficult
for attackers to impersonate users or services.
:
 Each Network Service Needs a Set of Kerberos Keys

Network services that require different hostnames will need their own set of Kerberos keys, which
can present challenges with cluster and virtual hosting.

Strict Time Requirements

The date and time configurations of the hosts need to be synchronized with predefined limits.
Otherwise, authentication will fail due to tickets having limited availability.

An Overview of the Kerberos Protocol Flow

The Kerberos protocol flow involves three secret keys: client/user hash, TGS secret key, and SS
secret key. The basic protocol flow steps are as follows:

!" Initial Client Authentication Request b The protocol flow starts with the client logging in to the
domain. In this step, the user asks for the TGT or authentication token from the AS. The TGT
request is sent to the Kerberos KDC.
$" Verification of Client Credentials b The KDC must verify the user's credentials to send an
encrypted session key and TGT. The AS checks for the TGS's and client's availability in the
database. If both values are found, the AS generates the secret key. It also creates a session
key MSK1N that is encrypted by the user's secret key and a TGT with the client network address,
identification MIDN, timestamp, lifetime, and SK1. Then, the TGS secret key encrypts the ticket.
%" Message Decryption b The client uses the client/user hash or secret key to extract the TGT
and SK1 and decrypt the message, then generates the authenticator that validates the TGS.
&" Request for Access Using the TGT b The client then requests a ticket from the SS by sending
the authenticator and the extracted TGT to the TGS.
'" Creation of Ticket for the File Server b The TGS secret key is used to decrypt the TGT from the
client and extract the SK1. TGS also decrypts the authenticator and verifies that it matches the
network address and the client ID, and ensures that the TGT is not expired by using an
extracted timestamp. If all checks are done successfully, the KDC will generate a shared service
session key MSK2N for the target server and the client. The KDC then creates a service ticket
with the client network address, ID, timestamp, and SK2. This ticket will be encrypted with the
server's secret key, and the client will receive the service ticket and SK2, which will be
encrypted with the SK1.
(" Authentication Using the File Ticket b The client then uses the file ticket to authenticate by
decrypting the message with SK1 and extracting SK2. Doing so will generate another
authenticator, encrypted with SK2, that includes the client ID, network address, and timestamp.
:
 The client then sends a service ticket along with the new authenticator to the target server.
)" Decryption and Authentication of the Target Server b As the final step in the Kerberos
protocol, the target server then decrypts the service ticket and extracts the SK2 using the
server's secret key. SK2 decrypts the authenticator, and checks are performed to ensure that
the client network address and ID from the service ticket and the authenticator match. After all
checks are made and met, the client will receive a message from the server stating that the
server and the client have authenticated each other.

Can Kerberos Be Hacked?

Kerberos, like any other security model, is not 100% invulnerable. Because Kerberos is a widely used
authentication protocol, hackers have found ways to get around it. The majority of these hacks
include forged tickets, encryption downgrading malware, and guessing passwords. Sometimes,
hackers will use each of these methods to breach the system.

These are the most common methods used to hack Kerberos.

Pass the Ticket

With this method, an attacker forges the session key and uses fake credentials. Hackers will forge a
golden or silver ticket to gain either domain access or access to a service.

Credential Stuffing or Brute Force

This is an automated and continued attempt at guessing a user's password. The majority of these
attacks will target the ticket-granting and initial ticketing service.

Encryption Downgrade

An encryption downgrade is performed with skeleton key malware, a type of malware that bypasses
Kerberos if the cyberattacker has admin access.
:
 DC Shadow Attack

This attack takes place when hackers get the access needed to set up their own domain controller
MDCN to be used for further infiltration.

Is Kerberos Obsolete?

Kerberos may have been around for decades, but that does not mean it is obsolete. In fact, it is still a
proven and effective security access protocol even though cyberattackers have been able to crack it.
One of the major advantages of Kerberos is that it uses strong encryption to protect authentication
tickets and passwords.

The bottom line is that Kerberos is here to stay, and there are no replacements in the immediate
future. The majority of today's security advancements are meant to protect passwords or provide a
different method for validating an identity. Kerberos remains the back-end technology in these
solutions. It is still an effective and usable solution in the connected workplace because of SSO,
which lets users prove their identity just once to access multiple applications.

How Fortinet Can Help

Cyber crime is an unfortunate byproduct of interconnectivity in a digital-first world. No business is

exempt from the risk of attacks, but deploying effective cybersecurity strategies will help mitigate the
risk. Kerberos is one of the best security access protocols available for reducing cyberattack
incidence rates and in helping an organization protect its assets.

The Fortinet FortiWeb solution can be configured to use the Kerberos protocol for authentication
delegation. FortiWeb uses Kerberos to provide previously authenticated clients with access to web
applications. The product supports two types of Kerberos authentication:
FortiWeb verifies the user's secure sockets layer MSSLN certificate using the certificate authority MCAN
specified in a server pool member configuration or server policy. FortiWeb will then obtain the
Kerberos service ticket to allow the client access to the specified web application.
Users enter a username and password in a Hypertext Markup Language MHTMLN authentication form.
FortiWeb then gets a Kerberos service ticket for the client to allow access to the specified web
application.
:
 FAQ

What is Kerberos and how it works?

A Kerberos is a system or router that provides a gateway between users and the internet. Therefore,
it helps prevent cyber attackers from entering a private network.

How does Kerberos authentication work?

Kerberos uses symmetric key cryptography and a key distribution center MKDCN to authenticate and
verify user identities.

Can Kerberos be hacked?

Kerberos, like any other security model, is not 100% invulnerable. Because Kerberos is a widely used
authentication protocol, hackers have found ways to get around it.

Quick Links
:
 Free Product Demo Resource Center
Explore key features and Download from a wide
capabilities, and experience range of educational
user interfaces. material and documents.

Free Trials Contact Sales

Test our products and Have a question? We're here
solutions. to help.

PRODUCTS PARTNERS MORE

Enter Email Address

Enterprise Overview About Us

I want to receive
news and
Alliances Ecosystem Training
Secure Networking product emails.
Read our privacy
Find a Partner Resources
Application Security policy.

Become a Partner Support

Security Operations
Partner Login Product Downloads CONNECT WITH US
User and Device
Security
COVIDG19 Response Blog
Threat Intelligence
CyberGlossary Fortinet Community
Small Mid-Sized Careers Email Preference
Businesses
Center
Early Talent Program
Overview Contact Us
Investor Relations
Service Providers
Social Responsibility

Overview Sitemap
:
 Copyright © 2023 Fortinet, Inc. All Rights Reserved.

Terms of Service | Privacy Policy | Notice for California Residents |

Do Not Sell My Personal Information | GDPR | Cookie Settings

©Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates, and is used herein with
permission. All Rights Reserved.
: