PROJECT 4
Kamalpreet Sidhu
Gomathi Shanmugam
Tanvi Anand
AUTHENTICATION
What is Kerberos (Original)
In mythology, Kerberos also known as Cerberus- a large three headed dog
that guards the gates to the underworld to keep souls from escaping.
Kerberos, as its simplest, is an authentication protocol for client/server
applications. It is designed to provide secure authentication over an
insecure network. The protocol was initially developed by MIT in the
1980's and was named after the mythical three-headed dog who guarded
the underworld, Cerberus. It was later refined by Microsoft for inclusion in
Windows 2000 to replace NTLM – and the protocol remains Open Source.
While NTLM(New Technology LAN Manager) uses a three way
handshake between the client and server, where credentials are sent
between the systems, Kerberos avoids sending credentials across the
network.
Authentication With Kerberos
Authentication via Kerberos requires the use of a Key Distribution Center (KDC). This is
typically a service running on all Domain Controller (DCs) as part of Active Directory
Services (AD DS). It contains the following components:
1. Authentication services (AS): Authentication users when they initially attempt to access
a service.
2.Ticket granting service (TGS): Connects a user with the service server (for example ,a
file server) based on information stored in the database.
3. Kerberos database: Where the IDs and passwords are stored, often an LDAP server
or the Security Account Manager (SAM) database in an Active Directory Environment.
Kerberos Authentication Steps
It is multi-step process. Example: If user wishes to access a network file server to read a document.
STEP 1: The User Sends a Request to the AS
The user issues an encrypted request to the Authentication Server. When the AS gets the request, it searches
for the password in the Kerberos database based on the user ID.
If the user typed in the correct password, the AS decrypts the request.
STEP 2: The AS Issues a TGT
After verifying the user, the AS sends back a Ticket Granting Ticket.
STEP 3: The User Sends a Request to the TGS
The user sends the TGT to the Ticket Granting Server. Along with the TGT, the user also explains the reason
for accessing the file server.
The TGS decrypts the ticket with the secret key shared with the AS
STEP 4: TGS Issues a Service Ticket
If the TGT is valid, the TGS issues a service ticket to the user.
STEP 5: The User contacts the file server with the service Ticket
The client sends the service ticket to the file server. The file server decrypts the ticket with the secret key
shared with TGS.
STEP 6: The User Opens the Document
If the secret keys match, the file server allows the user to open the document. The service ticket determines
how long the user has access to the record.
Once access expires, the user needs to go through the entire Kerberos authentication protocol again.
Kerberos Encryption
When creating a new account on an Active Directory Domain Controller , you get a username
and password.
The Kerberos client then adds a string known as – a unique string used to improve
the randomness of a credential – along with the Kerberos version number. In most
configurations, the salt is the user's username. It then runs these two values through a
string2Key function which will return the shared secret.
On a workstation, the user will request access to a service (such as logging in to the
machine) by providing their username and password. The local Kerberos client will perform
the same steps as the DC to arrive at a shared secret. If this secret matches the secret
stored on the DC, the user can log in.
Benefits of Kerberos
It Is Mature
Kerberos has been in use for a while, which in terms of security, says a lot about its
effectiveness.
It Meets Modern Distributed System Requirements
Kerberos meets the requirements of modern distributed systems. It enables secure
authentication within open environments with insecure communication links.
It Is Architecturally Sound
The sound, well-designed architectural foundations of Kerberos allow it to evolve and integrate with other
systems.
It Is Integrated Into Popular Operating Systems
Kerberos is already integrated into popular operating systems and software applications and has become a
critical component of IT infrastructure. It is the default authorization technology in Microsoft Windows. It uses
third-party ticket authorization and strong cryptography to make it harder for hackers to gain access to a
corporate network. With Kerberos, organizations can access the internet without having to worry about
compromising their safety.
Some techniques used to defend against attacks on our Kerberos infrastructure
are:
• Logging and Monitoring
• Patch
• Set admin and service accounts to "Sensitive and cannot be delegated"
• Do not add computer accounts to administrator groups
•
Run Local Security Authority Subsystem Service (LSASS) in protected mode
• Enforce Privileged Attribute Certificate (PAC) authentication for TGS
• Principle of least privilege
• Use strong, unique passwords for administrative, local, and service accounts
• Enable Windows Defender Credentials guard (except on domain controllers)
• Disable RC4 encryption
You can detect the majority of these attacks using native tools to monitor logs. The
overview of the various attacks you will find against Kerberos systems.
• Golden Ticket Attack
• Silver Ticket Attack
• Backdoor Skeleton key Malware Attack
• Pass the Hash Attack
• Pass the Ticket
• Overpass the Hash
• Kerberoasting
• Replay attack
The bottom line is that Kerberos is here to stay, and there are no
replacements in the immediate future. Most today's security
advancements are meant to protect passwords or provide a
different method for validating an identity. Kerberos remains the
back-end technology in these solutions. It is still an effective and
usable solution in the connected workplace because of
SSO(Single Sign-On), which lets users prove their identity just
once to access multiple applications.
THE
END