PROJECT 4 Kamalpreet Sidhu Gomathi Shanmugam Tanvi Anand AUTHENTICATION What is Kerberos (Original) In mythology, Kerberos also known as Cerberus- a large three headed dog that guards the gates to the underworld to keep souls from escaping. Kerberos, as its simplest, is an authentication protocol for client/server applications. It is designed to provide secure authentication over an insecure network. The protocol was initially developed by MIT in the 1980's and was named after the mythical three-headed dog who guarded the underworld, Cerberus. It was later refined by Microsoft for inclusion in Windows 2000 to replace NTLM – and the protocol remains Open Source. While NTLM(New Technology LAN Manager) uses a three way handshake between the client and server, where credentials are sent between the systems, Kerberos avoids sending credentials across the network. Authentication With Kerberos Authentication via Kerberos requires the use of a Key Distribution Center (KDC). This is typically a service running on all Domain Controller (DCs) as part of Active Directory Services (AD DS). It contains the following components: 1. Authentication services (AS): Authentication users when they initially attempt to access a service. 2.Ticket granting service (TGS): Connects a user with the service server (for example ,a file server) based on information stored in the database. 3. Kerberos database: Where the IDs and passwords are stored, often an LDAP server or the Security Account Manager (SAM) database in an Active Directory Environment. Kerberos Authentication Steps It is multi-step process. Example: If user wishes to access a network file server to read a document. STEP 1: The User Sends a Request to the AS The user issues an encrypted request to the Authentication Server. When the AS gets the request, it searches for the password in the Kerberos database based on the user ID. If the user typed in the correct password, the AS decrypts the request. STEP 2: The AS Issues a TGT After verifying the user, the AS sends back a Ticket Granting Ticket. STEP 3: The User Sends a Request to the TGS The user sends the TGT to the Ticket Granting Server. Along with the TGT, the user also explains the reason for accessing the file server. The TGS decrypts the ticket with the secret key shared with the AS STEP 4: TGS Issues a Service Ticket If the TGT is valid, the TGS issues a service ticket to the user. STEP 5: The User contacts the file server with the service Ticket The client sends the service ticket to the file server. The file server decrypts the ticket with the secret key shared with TGS. STEP 6: The User Opens the Document If the secret keys match, the file server allows the user to open the document. The service ticket determines how long the user has access to the record. Once access expires, the user needs to go through the entire Kerberos authentication protocol again. Kerberos Encryption When creating a new account on an Active Directory Domain Controller , you get a username and password. The Kerberos client then adds a string known as – a unique string used to improve the randomness of a credential – along with the Kerberos version number. In most configurations, the salt is the user's username. It then runs these two values through a string2Key function which will return the shared secret. On a workstation, the user will request access to a service (such as logging in to the machine) by providing their username and password. The local Kerberos client will perform the same steps as the DC to arrive at a shared secret. If this secret matches the secret stored on the DC, the user can log in. Benefits of Kerberos It Is Mature Kerberos has been in use for a while, which in terms of security, says a lot about its effectiveness. It Meets Modern Distributed System Requirements Kerberos meets the requirements of modern distributed systems. It enables secure authentication within open environments with insecure communication links. It Is Architecturally Sound The sound, well-designed architectural foundations of Kerberos allow it to evolve and integrate with other systems. It Is Integrated Into Popular Operating Systems Kerberos is already integrated into popular operating systems and software applications and has become a critical component of IT infrastructure. It is the default authorization technology in Microsoft Windows. It uses third-party ticket authorization and strong cryptography to make it harder for hackers to gain access to a corporate network. With Kerberos, organizations can access the internet without having to worry about compromising their safety. Some techniques used to defend against attacks on our Kerberos infrastructure are: • Logging and Monitoring • Patch • Set admin and service accounts to "Sensitive and cannot be delegated" • Do not add computer accounts to administrator groups • Run Local Security Authority Subsystem Service (LSASS) in protected mode • Enforce Privileged Attribute Certificate (PAC) authentication for TGS • Principle of least privilege • Use strong, unique passwords for administrative, local, and service accounts • Enable Windows Defender Credentials guard (except on domain controllers) • Disable RC4 encryption You can detect the majority of these attacks using native tools to monitor logs. The overview of the various attacks you will find against Kerberos systems. • Golden Ticket Attack • Silver Ticket Attack • Backdoor Skeleton key Malware Attack • Pass the Hash Attack • Pass the Ticket • Overpass the Hash • Kerberoasting • Replay attack The bottom line is that Kerberos is here to stay, and there are no replacements in the immediate future. Most today's security advancements are meant to protect passwords or provide a different method for validating an identity. Kerberos remains the back-end technology in these solutions. It is still an effective and usable solution in the connected workplace because of SSO(Single Sign-On), which lets users prove their identity just once to access multiple applications. THE END