Kerberos
Kerberos?provides a centralized authentication server whose function is to authenticate users to servers and servers to users. In Kerberos Authentication server and database is used for client authentication. Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC).
Kerberos and NTLM are network protocols that form a subgroup in the Internet Protocols (IPs) family. Both are authentication methods that use TCP (Transmission Control Protocol) or UDP (User Datagram Protocol). NTLM stands for NT LAN Manager and was developed before Kerberos. It is a challenge-response authentication protocol in which the target computer requests a password, which is then verified and stored as password hashes for further use.
One of the main differences between Kerberos and NTLM is third-party verification. In that way, Kerberos has a stronger encryption function than NTLM because the?extra step adds another layer of security. NTLM, meanwhile, can be cracked relatively easily, which is why it is considered insecure these days and should not be used. However, both authentication protocols are still implemented in the Windows authentication module.
Kerberos addresses the man-in-the-middle design weakness we face with NTLM.
The main components of Kerberos are:?
·???????? Authentication Server (AS):? The Authentication Server performs the initial authentication and ticket for Ticket Granting Service.? ?
·???????? Database:? The Authentication Server verifies the access rights of users in the database.? ?
·???????? Ticket Granting Server (TGS):? The Ticket Granting Server issues the ticket for the Server
Key Distribution Center (KDC): The KDC consists of the Authentication Server (AS) and the Ticket Granting Server (TGS).
?Kerberos Authentication Flow
Step-1:? User login and request services on the host. Thus, user requests for ticket-granting service.? ?
Step-2:? Authentication Server verifies user’s access right using database and then gives ticket-granting-ticket and session key. Results are encrypted using the Password of the user.? ?
Step-3:? The decryption of the message is done using the password then send the ticket to Ticket Granting Server. The Ticket contains authenticators like usernames and network addresses.? ?
领英推荐
Step-4:? Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the request then creates the ticket for requesting services from the Server.? ?
Step-5:? The user sends the Ticket and Authenticator to the Server.? ?
Step-6:? The server verifies the Ticket and authenticators then generate access to the service. After this User can access the services.?
A Golden Ticket attack is an attack technique where a malicious actor manipulates the Kerberos authentication protocol utilized within Windows networks to gain unrestricted access to an organization's entire domain—including devices, files, and domain controllers.
Kerberos Limitations
·???????? Each network service must be modified individually ?for use with Kerberos
·???????? It doesn’t work well in a timeshare environment
·???????? Secured Kerberos Server
·???????? Requires an always-on Kerberos server
·???????? Stores all passwords are encrypted with a single key
·???????? Assumes workstations are secure
·???????? May result in cascading loss of trust.
·???????? Scalability