What is Kerberos?

Kerberos is an authentication protocol, but not an authorization one. This means that the protocol is responsible for identifying each user, through a password known only to him, but does not determine what resources or services that user can access or not.

The extensive use of Kerberos is in Active Directory. In this platform, Kerberos gives information about the privileges of each authenticated user.

But it is the responsibility of the services to verify that said privileges are sufficient to access its resources.

Elements that are part of Kerberos

We can see several factors that are part of the Kerberos ecosystem in this section.

Transport layer

In this regard, it should be noted that Kerberos uses UDP or TCP as transport protocols, which transmit the information in clear, so it must provide the encryption layer itself.

The Kerberos protocol uses the UDP / 88 and TCP / 88 ports, which we find listening to the KDC (explained in the next section).

Agents

In Kerberos, there are several services responsible for performing user authentication. Among these are the following:

  • The client or user who wants to access the service.
  • It exposes the AP (Application Server) where the service that the user wants to access.

The KDC (Key Distribution Center), the Kerberos service responsible for distributing tickets to customers, installed on the DC (Domain Controller). Besides, it has the AS (Authentication Service), which is responsible for issuing the TGTs.

Encryption keys

Several structures managed by Kerberos, such as tickets, are transmitted encrypted or signed.

This prevents them from being manipulated by third parties. The encryption keys used by Kerberos, in Active Directory, are as follows:

  • KDC key or krbtgt: key derived from the NTLM hash of the krbtgt account.
  • User password: password derived from the user’s own NTLM hash.
  • Service key: key derived from the NTLM hash of the service owner, which can be a user or service account.
  • Session key: key negotiated by the client and the KDC.
  • Service session key: a negotiated key to use between the client and the AP.

Tickets

Kerberos handles structures called “Tickets,” which are delivered to authenticated users so that they can perform specific actions within the Kerberos domain. 2 types are distinguished:

The TGS (Ticket Granting Service) presents the ticket to a service to access its resources. And also, it encrypts with the corresponding service code.

The TGT (Ticket Granting Ticket) presents the ticket to the KDC to obtain the TGS. Also, it encrypts with the KDC password.

CAP

The PAC (Privilege Attribute Certificate) includes a structure in most tickets. This structure contains the user’s privileges and signs with the KDC key.

The services can verify the PAC by contacting the KDC, although this is not common. However, the verification of the PAC is only to verify your signature, without checking if the privileges are correct.

On the other hand, a customer can prevent the PAC from its inclusion by specifying it in the KERB-PA-PAC-REQUEST field of the ticket request.

Messages

The Kerberos protocol allows the communication of different agents through different types of messages.