The beginning and origin
First, let’s go back to the greek mythology where the name Kerberos appears for the first time. Kerberos or some of you might know him as Cerberus guards the Gates to the Underworld. He’s a big 3 headed dog and with a really bad temper.
The name and the strong visual of Kerberos was used by the MIT Computer Scientists Steve Miller and Clifford Neuman for their computer network authentication protocol.
Microsoft introduced their version of Kerberos in Windows 2000. Therefor it has become a standard for websites and Single-Sign-On implementations across all platforms. The founded Kerberos Consortium maintains Kerberos as an open-source project.
The strong cryptography and third-party ticket authorization makes it much more difficult for cybercriminals to infiltrate your network and/or impersonate your users.
Kerberos has made the internet and its users more secure, and enables everybody to do more work on the Internet or office without compromising safety.
Kerberos In a nutshell
Basically, Kerberos comes down to this:
- a protocol for authentication
- uses tickets to authenticate
- avoids storing passwords locally or sending them over the internet
- involves a trusted 3rd-party
- built on symmetric-key cryptography
You have a ticket — your proof of identity encrypted with a secret key for the particular service requested — on your local machine; so long as it’s valid, you can access the requested service that is within a Kerberos realm.
Typically, this is used within internal environments. Perhaps you want to access your internal payroll site to review what little bonus you have received. Rather than re-entering your user/password credentials, your ticket (cached on your system) is used to authenticate allowing for single sign-on.
How do you authenticate with Kerberos?
Here are the most basic steps taken to authenticate in a Kerberized environment.
- The client requests an authentication ticket (TGT) from the Key Distribution Center (KDC)
- The KDC verifies the credentials and sends back an encrypted TGT and session key
- The TGT is encrypted using the Ticket Granting Service (TGS) secret key
- The client stores the TGT and when it expires the local session manager will request another TGT (this process is transparent to the user)
If the Client is requesting access to a service or other resource on the network, this is the process:
- The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access
- The KDC verifies the TGT of the user and that the user has access to the service
- TGS sends a valid session key for the service to the client
- Client forwards the session key to the service to prove the user has access, and the service grants access.
Kerberos exists for quite a while — is it obsolete?
Kerberos is far from obsolete and has proven itself. The primary advantage of Kerberos is the ability to use strong encryption algorithms to protect passwords and authentication tickets. Even with today’s computers, any attack of the encryption protocol used by the current version of Kerberos will take longer than our solar system has left to live. So, to be frank: Kerberos is going to be around for a while — We are pretty sure.
Is there a replacement for Kerberos?
There are no real competitors to replace Kerberos so far. Most of the advancements in security are to protect your password or provide a different method of validating who you are to Kerberos. Kerberos is still the back-end technology. Kerberos excels at Single-Sign-On (SSO), which makes it much more usable in a modern internet based and connected workplace. With SSO you prove your identity once to Kerberos, and then Kerberos passes your Ticket Granting Service to other services or machines as proof of your identity.
Kerberos authentication is the default authorization technology used by big players. Microsoft Windows uses it and implementations of Kerberos exists as well in Apple OS, FreeBSD, UNIX, and Linux.
What about Mobile?
Single-Sign on has always been a challenge on mobile phones. But Apple managed to provide a Single Sign-On solution since iOS v7. The second big player in the mobile operating system — Google’s Android — is left behind. Now that companies have to switch to Android Enterprise, because its predecessor is discontinued in 2019, the Android world is missing an important feature which used to work: The native Kerberos SSO.
A Swiss software company with mobile security focus, has created a cross-enterprise mobility management solution, called Hypergate. This neat application closes the Kerberos Single Sign-On gap on Android Enterprise and allows you to run a holistic BYOD strategy with no negative impact on security or infrastructure. This makes Android phones finally more attractive for businesses.
If you want to learn more about Hypergate or get a demo visit
Hypergate works without any user interaction. The App operates completely in the background. When a ticket is available, the user usually don‘t even notice Hypergate at all.
