In Greek mythology, Kerberos (or Cerberus) is a frightening-looking dog with multiple heads and fangs capable of slicing through human bone. Kerberos is famous for guarding the gates of the underworld to prevent the dead from leaving. Until Kerberos’ capture by the divine hero Heracles, the dog’s tenacious patrol let no soul pass into the world of the living.
The internet is very similar to the underworld—an insecure place full of actors who would seek to compromise our security and steal our data. Like the underworld, it needs powerful gatekeepers to guard and patrol its boundaries, lest vulnerable users are harmed. Thus, when MIT computer scientists were searching for a name for a new computer network authentication protocol that they developed, they turned to the mythical creature Kerberos.
This eponymously named protocol uses top-secret key cryptology to provide powerful authentication for client-server applications. Keberos authentication was first developed in the 1980s and has since become the most commonly used cryptology-based authentication method. The ubiquity of Kerberos makes it critical for managed services providers (MSPs) to know about it—where it came from, what it is, how it works, and how it can benefit their end users.
Why Was Kerberos Authentication Developed?
These security problems were rampant among many of the applications that send unencrypted passwords over the network—passwords that were highly vulnerable to a range of tactics and tools used by malicious actors intent on stealing them. Moreover, some client-server applications automatically assumed a user really was who they said they were, or relied on the client to restrict a user’s activities to those deemed “safe.” Naturally, these applications faced serious security vulnerabilities and would likely fail to meet stringent mandates to protect users’ personal data today.
In response to this internet insecurity, many sites started using firewalls, thinking these would resolve the problem. But firewalls have two limitations that hinder their efficacy. One, they assume the security threat is coming from “outside,” when in fact it’s often insiders who are responsible for the most egregious internet crimes. Two, firewalls limit users from accessing areas of the internet that they may need to access for their work. Other strategies were needed for more effective cybersecurity.
What Is Kerberos Authentication?
This is where the aforementioned MIT scientists came into the picture. The product of their collective efforts was Kerberos, a network authentication protocol that’s based on secret-key cryptology or “tickets.” By enabling users or services to communicate securely over a non-secure network through a trusted third-party arbiter, Kerberos eliminates the need to transmit vulnerable plaintext passwords.
The designers of Kerberos based it on a client-server model, meaning it provides resources or services to one or more clients. It also features multi-factor authentication (MFA), meaning that a system requires at least two distinct terms to grant a user access to a certain account. This strengthens password management to keep up with cybersecurity threats and heightens the level of security for all parties involved.
A free implementation of Kerberos authentication is available from MIT, though by now it’s embedded within a range of operating systems and other products available on the market. Kerberos authentication has become the default authorization tool used by Microsoft Windows. Apple OS, UNIX, and Linux also use it. This means most of us have encountered it in one place or another, even if we weren’t aware of it.
How Does Kerberos Authentication Work?
We’ve already established that Kerberos securely connects users and servers. It does so within what’s called a realm-—or a defined domain that contains a set of users and servers who would connect (though cross-realm connection is also possible). Each user or server has their own identity—referred to as a principal in Kerberos. Through their individual principal, users or servers can identify themselves to a trusted third-party arbiter responsible for authentication.
That trusted third-party arbiter is the Key Distribution Center (KDC), located on the Kerberos server. The KDC has three main parts that are important to understand.
- Authentication server (AS): This server is responsible for performing initial authentication. Say a user seeks to authenticate their identity for a system or service. The AS receives that request and issues what is called a ticket-granting ticket (TGT), or a small encrypted user authentication ticket, and sends it back to the user. The TGT contains a session key that—provided the user’s insertion of a correct password—presents the ticket to the ticket granting service.
- Ticket granting server (TGS): This is a user authentication server that is responsible for validating TGTs and granting subsequent tickets called service tickets. Service tickets permit an authenticated user to access the service that they are trying to use on the application server.
- Kerberos database: Housed within the KDC, this is a database that contains all principal IDs, their passwords, and a host of information about them. It’s essential to the fluid functioning of the overall Kerberos authentication process.
Through the mediation of the KDC, different principals that share the same Kerberos realm can communicate safely and securely.
What Are the Benefits of Kerberos Authentication?
Now we have a firm grasp of what Kerberos authentication is and how it works, let’s turn to how it can benefit your company and end users.
Kerberos authentication carries a range of advantages, especially compared to some of its predecessors. Some of these end user benefits include:
- Powerful encryption
- Single sign-on (SSO)
- Open standard
- Mutual authentication
- Fast authentication processing
- Authentication delegation
- Integrated and renewable sessions
- Centralized username and password data storage
- Improved network security
For MSPs, it’s important to know about Keberos because it’s integral to so many of the operating systems and applications we use on a daily basis. But this authentication protocol also holds distinct advantages that can help MSPs better serve their customers and drive their business forward.