Authentication is one of the primary concerns of network security professionals regarding the security of networks. It allows only to right people to access valuable corporate data. Therefore, a secure authentication method is essential to safeguard organizations' valuable digital assets from outside attackers. It should always be updated with the newest technologies because attackers are often one step ahead of your network security protocols. Username and password-based authentication are still among the widely used methods that make sure only the right people get access to the data and stop the rest. But, transferring user credentials back and forth over the networks is an insecure process. Because malicious attackers could launch sophisticated cyber-attacks to obtain this sensitive information. Deployment of firewalls is considered a strong approach in the prevention of network threats. But, firewalls draw a line between trusted internal networks and untrusted outside networks and assume that threats are always come from the outside.
Surveys show that internal users are responsible for a significant amount of security breaches. For example, IBM’s annual X-Force Threat Intelligence Index shows, up to 60% of cyber-attacks may be due to insider threats. These insider threats can be varied from employees’ accidental mistakes to intentional data thefts. Overall, Cybersecurity Ventures predicts cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. Security experts probably warn cybercriminals will use Artificial Intelligence (AI) to power their attacks.
Cybercrimes have existed ever since the invention of computer networks and the internet. MIT developed a network authentication protocol called Kerberos to eliminate authentication-related security problems. Kerberos enables strong authentication procedures between trusted hosts in an untrusted network, usually for the client-server applications. Kerberos uses secret-key cryptography and a trusted third party to verify the user’s identity, and it also acts against the network eavesdropping.
In the 1980s, the Massachusetts Institute of Technology (MIT) first developed the Kerberos to protect network services provided by Project Athena. They make it freely available under copyright permissions, similar to those used for BSD. In 2007, MIT founded the Kerberos Consortium, and they operate Kerberos development and maintenance as an institute funded open source project. Microsoft’s started to use Kerberos as the default authentication method for windows 2000 and later versions. But, Microsoft uses their version of Kerberos, not the MIT software. Kerberos is also built into other major operating systems, including Linux, macOS, Solaris, etc.
The term Kerberos is inspired by the ferocious three-headed dog named Kerberos (Cerberus) in Greek mythology that guards the gates of the underworld. In the authentication protocol, three heads of Kerberos resemble the client, the server, and the Key Distribution Center (KDC). KDC is the main component of the Kerberos architecture, which authenticates the users and services and issues ticket-granting tickets.
Client - an end-user or an application that initiates the service request.
Server - hosts the services or resources the client wants to access.
Key Distribution Center (KDC) – a trusted third-party authentication server. KDC can be grouped into three components; the database, the authentication server (AS), and the ticket-granting server (TGS).
Database – contains all information related to the users and services.
Authentication Server (AS) responds to the client's initial authentication request and grants a ticket-granting ticket (TGT) after a successful authentication process.
Ticket-Granting Server (TGS) – grants service tickets to the clients with valid TGT to access the requested services or resources.
As mentioned above, the Kerberos environment consists of the client, the server, and the trusted third-party authentication server, known as KDC. Kerberos uses symmetric encryption, which means only one key is used to encrypt the plaintext message and then decrypt that message. Kerberos uses symmetric keys of all components, including client, file server, and Ticket-Granting Server (TGS) for encryption.
During the authentication process, symmetric keys should always be matched; otherwise, it stops the decryption and fails the process. Kerberos is a Single Sign-On (SSO) enabled authentication protocol that users do not require to provide their login credentials repeatedly once they are signed in. Kerberos uses TGT to store the user information and prove the user identity when necessary.