10 Facts to Help You Better Understand Kerberos 

Posted by Eran Cohen on Oct 6, 2016 12:16:30 PM
Find me on:

Every child that grew up playing Dungeons and Dragons learned about the mythic creature of Kerberos (also known as Cerberus in Ancient Greek mythology)  -- the three headed dog who guards the gates of Haides.  Its role is to prevent the dead souls from returning to the world of living. kerberos-blog.jpg

So sweet... and yet today most security professionals know Kerberos as a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.

However, the big question is:  what we do not know about Kerberos? How well do we really know it?  As we speak with customers, we find that some have superb knowledge on the subject while those just getting started as an IT security professional may have a murkier understanding.

So, to test your knowledge, I’ve pulled together a set of 10 facts to help you better understand Kerberos. For those of you already in the know, you can confirm you are the Kerberos King!

  1. Who actually invented Kerberos and when? Kerberos is a stateless network protocol developed by MIT and considered as licensed for distribution and modification. Started as part of Athina (they like myth) project in 1979, aimed at protecting MIT computer network. (Quirky fact - It is younger than me.)

  2. What is the first ever kerberos version to be freely released? Version 5. It was in 1993.

  3. Which feature made it so valuable ? Although it may seem strange and perhaps somewhat naive, but it was the implementation for Microsoft and Mac that used DES encryption. Another naive anecdote is that the US government banned its export outside of the USA. That was, however, too late and not an efficient move. When I see regulations try to moderate content distribution I view it as misreading of reality in the 21st century.

  4. What is a ticket, in a nutshell? Kerberos uses tickets to authenticate and grant access. Tickets created by a ticket granting server (TGS)  trusted by authentication server, to a specific service or endpoint requested by an account.  Ticket serves as a proof of (your) identity and its encrypted with secret key. As long as the ticket valid you get access to the service.

  5. Is it pure single side client server model? Can it be used for mutual identity verification ? Yes and yes. It is a mutual where the client and server can verify each other’s identities. They accomplish this using encryption of timestamp with joint session key or via challenge/response that was introduced in 2005 to solve associated vulnerabilities.  Note: I always claimed time is not reliable…

  6. When did Microsoft officially adopted Kerberos as default authentication protocol? In 2000, 7 years after MIT released its first Microsoft implementation. Microsoft is using their own implementation rather than MIT’s original version. Between us, it was always about secret sauce.

  7. What is a “Pass the Ticket” attack? Attackers, and even you, can use tools such as Mimmikatz and Windows Credential Editor to mine Kerberos tickets from compromised user endpoints or from authorization servers.  Once the hacker gets hold of these tickets they can use it for lateral movement seeking to leverage permission and harvest data that can help to achieve end goal.

  8. What about Golden ticket - is that a VIP pass? Yes. Correct!  Actually this is more than VIP, it is like a lifetime-granted ticket for Kerberos generating ticket. Hard coded granted access for 10 years by default (modified if you want).

  9. Are encryption keys kept unencrypted in memory during the protocol use?  Yes, that is a fact. Now tell us what you imagine is happening. My grandmother always claims ignorance is a bliss.

  10. If it's so secure and widely trusted, do I still have to use strong passwords?  Duhh, yes! Passwords are used to encrypt the certificates. Failing to use strong passwords will allow bruteforcing. OMG!  

    Ok….we are all geeks here. So, instead of 10, let’s turn this up to 11….

  11. What happens if the Kerberos authentication server is down?  The authentication system will be out of service. This is one of the things that makes them so attractive and the reason behind why there are so many in each deployment. 

I hope these fun facts helped you learn more a bit more about Kerberos.

Interested in more?  here are interesting links we collected for you:

  1. Kerberos for the busy admin
  2. Kerberos best practice by the Kerberos consortium
  3. Black Hat 2014 - Abusing Microsoft Kerberos


Topics: kerberos