Extended Slovník

Kerberos

Kerberos is a widely used network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography, preventing unauthorized access and enabling single sign-on (SSO) capabilities.

What is Kerberos authentication?

Kerberos is a robust and highly secure network authentication protocol originally developed by the Massachusetts Institute of Technology (MIT). It operates on the principle of symmetric-key cryptography, where both the client and server trust a third party — the Key Distribution Center (KDC) — to verify their identities. The protocol issues unique session tickets for each user-server interaction, eliminating the need for users to send passwords over the network. This makes Kerberos foundational for single sign-on (SSO) in many enterprise environments, including Microsoft Active Directory, providing secure access to various resources with a single set of credentials.

Why is Kerberos used for authentication?

Kerberos is widely adopted because it addresses several critical security challenges in network authentication:

  • No passwords transmitted over the network: Instead of sending passwords directly, Kerberos uses encrypted tickets, significantly reducing the risk of eavesdropping and credential theft.
  • Protection against replay attacks: Session tickets are time-stamped and have limited lifetimes, making it extremely difficult for attackers to reuse intercepted authentication data.
  • Single sign-on (SSO) capability: Users authenticate once and gain access to multiple services and resources without re-entering credentials, improving both security and user experience.
  • Mutual authentication: Both the client and the server verify each other's identity, ensuring that neither party is communicating with an imposter.
  • Scalability: Kerberos is designed to work efficiently in large-scale enterprise environments, handling thousands of authentication requests simultaneously.

How does Kerberos authentication work?

Kerberos authentication follows a multi-step process involving three main components: the client, the Key Distribution Center (KDC), and the target server. The KDC itself consists of two services: the Authentication Server (AS) and the Ticket-Granting Server (TGS).

  1. Authentication Request (AS-REQ): The client sends a request to the Authentication Server, identifying itself without transmitting the password.
  2. Ticket-Granting Ticket (AS-REP): The AS verifies the client's identity and responds with a Ticket-Granting Ticket (TGT), encrypted with the client's secret key, along with a session key.
  3. Service Ticket Request (TGS-REQ): When the client needs to access a specific service, it presents the TGT to the Ticket-Granting Server and requests a service ticket.
  4. Service Ticket (TGS-REP): The TGS validates the TGT and issues a service ticket encrypted with the target server's secret key.
  5. Service Access (AP-REQ): The client presents the service ticket to the target server, which decrypts it and grants access if the ticket is valid.

This entire process, as defined in RFC 4120, ensures that passwords are never sent across the network and that each session is uniquely authenticated.

When was Kerberos developed?

Kerberos was developed at MIT as part of Project Athena in the mid-1980s. The protocol's name is derived from Cerberus, the three-headed dog of Greek mythology that guards the gates of the underworld — a fitting metaphor for a protocol that guards access to network resources. The most widely used version today is Kerberos Version 5 (V5), which was first published in 1993 and later formalized as an Internet standard in RFC 4120. Over the decades, Kerberos has become the de facto authentication protocol in enterprise environments worldwide.

Which port does Kerberos typically use?

Kerberos typically operates on port 88 for both TCP and UDP traffic. This is the standard port used by the Key Distribution Center to receive authentication requests from clients. In some implementations, additional ports may be used — for example, port 749 is commonly used for Kerberos administration (kadmin). Network administrators should ensure that port 88 is properly configured in firewalls and security groups to allow Kerberos traffic to flow between clients, KDCs, and application servers.

Practical examples of Kerberos in use

  • Microsoft Active Directory: Kerberos is the default and primary authentication protocol used in Windows domains. When a user logs into a Windows domain-joined machine, Active Directory uses Kerberos to authenticate the user and grant access to domain resources such as file shares, printers, and applications.
  • Unix/Linux Environments: Kerberos secures access to network file shares (e.g., NFS with Kerberos), SSH sessions, and other critical services in large-scale Unix/Linux deployments, as documented in IBM's Kerberos documentation.
← Back to Glossary