Baby steps in the world of cryptography and cyber-attacks ! I had been relying on the underlying default technology, namely NTLM, for all authentication and authorization until now. This project has given me an opportunity to step into the realm of more sophisticated technologies and algorithms being used to keep things secure and ensuring people and processes are really who they say they are !

Welcome to Kerberos – the authentication and authorization protocol being used in the project.

[The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades.]

What is Kerberos

Kerberos is a ticket-based network authentication protocol utilizing symmetric crytography, software that will add to the ability of operating systems (Windows, Mac, etc.) to authenticate users and servers, and manage session-level security and encryption. It is a single sign-on technology. It is IP-based service. It uses secret-key crytography to provide strong authentication for client/server applications.

How does Kerberos work

It is an eight-step process:

Step 1: The authentication service (AS), receives the request by the client and verifies that the client is indeed the computer it claims to be. This is usually just a Active Directory (AD) lookup.

Step 2: The server puts the current timestamp in a user session, along with an expiration date. The default expiration date of a timestamp is 8 hours. An encryption key is then created with a lifespan of 8hrs. This is used to make sure a hacker doesn’t intercept the data, and try to crack the key. Almost all keys can be cracked, but it will take longer than 8 hours to do so.

Step 3: The key is sent back to the client in the form of a ticket-granting ticket (TGT). This is a simple ticket that is issued by the AS for authenticating the client for future reference.

Step 4: The client submits the TGT to the ticket-granting server (TGS), to get authenticated.

Step 5: The TGS creates an encrypted key with a timestamp, and grants the client a service ticket.

Step 6: The client decrypts the ticket, tells the TGS it has done so, and then sends its own encrypted key to the service.

Step 7: The service decrypts the key, and makes sure the timestamp is still valid. If it is, the service contacts the key distribution center (KDC) to receive a session that is returned to the client.

Step 8: The client decrypts the ticket. If the keys are still valid, communication is initiated between client and server.

That is it – Kerberos authentication in a nutshell

Advertisements