Research Paper on Kerberos: Authentication Service

Introduction

Kerberos is an authentication service for computer networks. Kerberos which was designed by Massachusetts Institute of Technology (MIT) authenticates client/server applications by using secret-key cryptography (Eum 2008). It is used to provide secure communications over a non-secure network. Multiple users have the ability to use a single computer with different login credentials. Authentication is the process whereby the user's identity is verified.

In password based authentication present a problem in that passwords can be collected by eavesdropping. They are also inconvenient to thee user since they have to input their password to access a network service. Kerberos is a distributed authentication service whereby a principal (user) proves his identity through a process (client) to a verifier (a server). The process does not involve sending data between the client and server which may create a loophole for an attacker or the server to impersonate the principal (Jonahnsson 2013).

How Kerberos Works?

To prove that a client is running on behalf of a particular user, a number of encrypted messages are sent to the verifier (Hudson 2014). Kerberos uses timestamps to drastically reduce messages sent for authentication process and also supports subsequent authentication without the need for password through the ticket-granting service. A user authenticating itself to a new verifier depends on the authentication server to generate another encryption key which is then sent to the server and the verifier. The encryption key is known as a session key and verifier receives it through the Kerberos ticket.

Once the verifier receives the application request, it decrypts the ticket, source the session key and decrypts the authenticator with the session key. The verifier checks to see if the key use to encrypt is the same one used to decrypt the authenticator (Jonahnsson 2013). To avoid an attacker, the key includes a timestamp to ensure that the authenticator is recent within a period of five minutes. Verification protocol is described in detail.

User Client-Based Logon

A user access the protected application from a client and enters a user name and password. The client changes the password to an authentication key

Client Authentication

The client place a request to the authentication server by sending a message of the user ID (Davis and swick 1990). The authentication server confirms if the client is in the database and sends session key and ticket granting ticket to the client. The client then decrypts the session key.

Client service Authorization

The authenticator decrypts the ticket granting ticket and compares to the client identity to ensure they match. The server then sends the session key to the client.

Client Service Request

The client can now authenticate itself with the information it has to the Service Server by sending a new authenticator which contains the client ID, timestamp and which is encrypted using session key. The server provides the services to the client if the timestamp is correct.

Benefits

Due to Kerberos effectiveness, it is the default authentication protocol of Windows OS (Tung 1999). Kerberos is considered as a superior authenticator compared to NTLM authentication protocols for a number of reasons. One, Kerberos uses the ticketing system enabling it to have a faster authentication process. It also has an optional mutual authentication which makes it safer. Kerberos is an open standard and therefore it can provide single sign-on (SSO). SSO enables users to have one user ID and password for a system or service. Due to Kerberos effectiveness, it is the default authentication protocol of Windows OS.

References

B. Tung. 1999. Kerberos: A Network Authentication System. 1st ed. Oxford: Addison-Wesley Professional. p 4th.

D. Davis and R. Swick. 1990. Workstation Services and Kerberos Authentication at Project Athena. 1st ed. Massachussets: Massachusetts Institute of Technology. p 40-45.

S.Eum. 2008. EAP-Kerberos II: An adaptation of Kerberos to EAP for mutual authentication. 2008 8th International Conference on ITS Telecommunications 8(3):10-13.

"Kerberos: The Network Authentication Protocol." https://web.mit.edu. Massachusetts Institute of Technology, MIT 2008. Web. 5 April 2019.

L. Johansson . "An Information Model for Kerberos Version 5."Authentication(2013): 19-20. Web. 5 October 2019.

G. Hudson. "Camellia Encryption for Kerberos 5."computer science(2012): 1. Web. 5 October 2014.