Kerberos Objectives
Components of Kerberos
1. Ticket Granting Ticket (TGT)
- A TGT is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.
2. Key Distribution Center (KDC)
-
The Key Distribution Center (KDC) is a network service that runs on a domain controller and supplies tickets and temporary session keys.
-
It acts as the trusted third party for the Kerberos protocol within a realm.
-
It maintains the Kerberos database, which stores the long-term secret keys for all principals (users and services) in its realm.
-
comprises two services:
1.1. Authentication Server (AS)
-
The Authentication Server (AS) is the service within the KDC that handles the initial client authentication.
-
Its primary function is to issue a Ticket-Granting Ticket (TGT) to a client upon successful authentication.
-
Process Flow (KRB_AS_REQ & KRB_AS_REP):
- KRB_AS_REQ (Client to AS): The client sends a request to the AS containing the client's Principal Name, the SPN of the TGS, and a pre-authentication block. The pre-authentication data typically consists of a timestamp encrypted with the client's long-term key, which is a hash derived from the user's password.
- Verification: The AS receives the request, looks up the client's principal in the Kerberos database to retrieve its long-term key, and uses it to decrypt the pre-authentication data. A successful decryption validates the client's identity.
- KRB_AS_REP (AS to Client): Upon success, the AS generates two pieces of data:
- TGS Session Key: A temporary symmetric key (
Session Key_TGS) for the client to use when communicating with the TGS. - Ticket-Granting Ticket (TGT): A ticket that includes the client's Principal Name, the TGS Session Key, a timestamp, and a ticket lifetime. The entire TGT is encrypted with the TGS's long-term secret key, making it opaque to the client.
- TGS Session Key: A temporary symmetric key (
- The AS encrypts the TGS Session Key and other data for the client using the client's long-term key and sends this along with the encrypted TGT back to the client.
1.2. Ticket Granting Service (TGS)
-
The Ticket Granting Service (TGS) is the service within the KDC responsible for issuing service tickets to clients for specific services within the realm.
-
Process Flow (KRB_TGS_REQ & KRB_TGS_REP):
- KRB_TGS_REQ (Client to TGS): To access a service, the client sends a request to the TGS containing:
- The TGT obtained from the AS.
- An Authenticator, which is a data block containing the client's Principal Name and a timestamp, encrypted with the TGS Session Key (
Session Key_TGS). The authenticator proves the client is the legitimate owner of the TGT. - The SPN of the target service.
- Verification: The TGS decrypts the TGT using its own long-term secret key to retrieve the TGS Session Key. It then uses this TGS Session Key to decrypt the authenticator. If the authenticator is valid and the timestamp is current, the request is approved.
- KRB_TGS_REP (TGS to Client): The TGS generates a service ticket and a new session key for the client-to-service communication.
- Service Ticket: Contains the client's Principal Name, a new Client-to-Server Session Key (
Session Key_C2S), a timestamp, and ticket lifetime. The entire service ticket is encrypted with the target service's long-term secret key. - The TGS encrypts the
Session Key_C2Susing theSession Key_TGSand sends it, along with the encrypted service ticket, back to the client.
- Service Ticket: Contains the client's Principal Name, a new Client-to-Server Session Key (
- KRB_TGS_REQ (Client to TGS): To access a service, the client sends a request to the TGS containing:
-
3. Service Principle Name (SPN)
- A service principle name is an identifier given to a service instance to associate a service instance with a domain service account.
4. Kerberos Database
- Where the IDs and passwords are stored, often an LDAP server or the Security Account Manager(SAM) database in an Active Directory environment.
- Windows required that services have a domain service account which is why a service needs a SPN set.
5. Session Key
- Issued by KDC when TGT is issued.
- The user will provide the session key to the KDC along with the TGT when requesting service ticket.
Three pairs of Request-Response
Kerberos authentication works in 3 pairs :
- AS_REQ and AS_REP
- TGS_REQ and TGS_REP
- AP_REQ and AP_REP
Kerberos Authentication Protocol work flow
- AS_REQ : The client request an authentication ticket or Ticket Granting Ticket(TGT).
- AS_REP : The key distribution centre(KDC) verifies the client and sends back an encrypted Ticket Granting Ticket(TGT).
- TGS_REQ : The client sends the encrypted TGT to the Ticket Granting Server(TGS) with the Service Principle Name(SPN) of the service the client wants to access.
- TGS_REP : The Key Distribution Centre(KDC) verifies the Ticket Granting Ticket(TGT) of the user has access to the service, then sends a valid session key for the service to the client.
- AP_REQ : The client requests the service and sends the valid session key to prove the user has access.
- AP_REP : The service grant access.
Difference between NTLM and kerberose authentication
