This is where the aforementioned MIT scientists came into the picture. The product of their collective efforts was Kerberos, a network authentication protocol that’s based on secret-key cryptology or “tickets.” By enabling users or services to communicate securely over a non-secure network through a trusted third-party arbiter, Kerberos eliminates the need to transmit vulnerable plaintext passwords.
The designers of Kerberos based it on a client-server model, meaning it provides resources or services to one or more clients. It also features multi-factor authentication (MFA), meaning that a system requires at least two distinct terms to grant a user access to a certain account. This strengthens password management to keep up with cybersecurity threats and heightens the level of security for all parties involved.
A free implementation of Kerberos authentication is available from MIT, though by now it’s embedded within a range of operating systems and other products available on the market. Kerberos authentication has become the default authorization tool used by Microsoft Windows. Apple OS, UNIX, and Linux also use it. This means most of us have encountered it in one place or another, even if we weren’t aware of it.
How Does Kerberos Authentication Work?
We’ve already established that Kerberos securely connects users and servers. It does so within what’s called a realm-—or a defined domain that contains a set of users and servers who would connect (though cross-realm connection is also possible). Each user or server has their own identity—referred to as a principal in Kerberos. Through their individual principal, users or servers can identify themselves to a trusted third-party arbiter responsible for authentication.
That trusted third-party arbiter is the Key Distribution Center (KDC), located on the Kerberos server. The KDC has three main parts that are important to understand.
- Authentication server (AS): This server is responsible for performing initial authentication. Say a user seeks to authenticate their identity for a system or service. The AS receives that request and issues what is called a ticket-granting ticket (TGT), or a small encrypted user authentication ticket, and sends it back to the user. The TGT contains a session key that—provided the user’s insertion of a correct password—presents the ticket to the ticket granting service.
- Ticket granting server (TGS): This is a user authentication server that is responsible for validating TGTs and granting subsequent tickets called service tickets. Service tickets permit an authenticated user to access the service that they are trying to use on the application server.
- Kerberos database: Housed within the KDC, this is a database that contains all principal IDs, their passwords, and a host of information about them. It’s essential to the fluid functioning of the overall Kerberos authentication process.
Through the mediation of the KDC, different principals that share the same Kerberos realm can communicate safely and securely.
What Are the Benefits of Kerberos Authentication?
Now we have a firm grasp of what Kerberos authentication is and how it works, let’s turn to how it can benefit your company and end users.
Kerberos authentication carries a range of advantages, especially compared to some of its predecessors. Some of these end user benefits include:
- Powerful encryption
- Single sign-on (SSO)
- Open standard
- Mutual authentication
- Fast authentication processing
- Authentication delegation
- Integrated and renewable sessions
- Centralized username and password data storage
- Improved network security
For MSPs, it’s important to know about Keberos because it’s integral to so many of the operating systems and applications we use on a daily basis. But this authentication protocol also holds distinct advantages that can help MSPs better serve their customers and drive their business forward.