Kerberos () is a computer-network

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...

protocol Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technolog ...

that works on the basis of ''tickets'' to allow

nodes In general, a node is a localized swelling (a "knot") or a point of intersection (a Vertex (graph theory), vertex). Node may refer to: In mathematics *Vertex (graph theory), a vertex in a mathematical graph *Vertex (geometry), a point where two ...

communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides

mutual authentication Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some prot ...

—both the user and the server verify each other's identity. Kerberos protocol messages are protected against

eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Etymology The verb ''eavesdrop'' is a back-formation from the noun ''eaves ...

and

replay attack A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary wh ...

s. Kerberos builds on

symmetric-key cryptography Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between th ...

and requires a

trusted third party In cryptography, a trusted third party (TTP) is an entity which facilitates interactions between two parties who both trust the third party; the Third Party reviews all critical transaction communications between the parties, based on the ease of c ...

, and optionally may use

public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

during certain phases of authentication.RFC 4556, abstract. Kerberos uses

UDP port This is a list of TCP and UDP port numbers used by protocols for operation of network applications. The Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) only need one port for duplex, bidirectional traffic. They usually u ...

88 by default. The protocol was named after the character '' Kerberos'' (or ''

Cerberus In Greek mythology, Cerberus (; grc-gre, Κέρβερος ''Kérberos'' ), often referred to as the hound of Hades, is a multi-headed dog that guards the gates of the Underworld to prevent the dead from leaving. He was the offspring of the mo ...

'') from

Greek mythology A major branch of classical mythology, Greek mythology is the body of myths originally told by the Ancient Greece, ancient Greeks, and a genre of Ancient Greek folklore. These stories concern the Cosmogony, origin and Cosmology#Metaphysical co ...

, the ferocious three-headed guard dog of

Hades Hades (; grc-gre, ᾍδης, Háidēs; ), in the ancient Greek religion and myth, is the god of the dead and the king of the underworld, with which his name became synonymous. Hades was the eldest son of Cronus and Rhea, although this also ...

History and development

Massachusetts Institute of Technology The Massachusetts Institute of Technology (MIT) is a private land-grant research university in Cambridge, Massachusetts. Established in 1861, MIT has played a key role in the development of modern technology and science, and is one of the ...

(MIT) developed Kerberos in 1988 to protect network services provided by

Project Athena Project Athena was a joint project of MIT, Digital Equipment Corporation, and IBM to produce a campus-wide distributed computing environment for educational use. It was launched in 1983, and research and development ran until June 30, 1991. , At ...

. The protocol is based on the earlier Needham–Schroeder symmetric-key protocol. Several versions of the protocol exist; versions 1–3 occurred only internally at MIT. Kerberos version 4 was primarily designed by Steve Miller and

Clifford Neuman Clifford may refer to: People *Clifford (name), an English given name and surname, includes a list of people with that name *William Kingdon Clifford *Baron Clifford *Baron Clifford of Chudleigh *Baron de Clifford *Clifford baronets * Clifford fam ...

. Published in the late 1980s, version 4 was also targeted at

. Neuman and John Kohl published version 5 in 1993 with the intention of overcoming existing limitations and security problems. Version 5 appeared as RFC 1510, which was then made obsolete by RFC 4120 in 2005. Authorities in the

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...

classified Kerberos as "Auxiliary Military Equipment" on the US Munitions List and banned its

export An export in international trade is a good produced in one country that is sold into another country or a service provided in one country for a national or resident of another country. The seller of such goods or the service provider is an ...

because it used the

Data Encryption Standard The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cry ...

(DES)

encryption algorithm In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can deci ...

(with 56-bit keys). A Kerberos 4 implementation developed at the

Royal Institute of Technology The KTH Royal Institute of Technology ( sv, Kungliga Tekniska högskolan, lit=Royal Institute of Technology), abbreviated KTH, is a public research university in Stockholm, Sweden. KTH conducts research and education in engineering and technolo ...

Sweden Sweden, formally the Kingdom of Sweden,The United Nations Group of Experts on Geographical Names states that the country's formal name is the Kingdom of SwedenUNGEGN World Geographical Names, Sweden./ref> is a Nordic country located on ...

named KTH-KRB (rebranded to Heimdal at version 5) made the system available outside the US before the US changed its cryptography export regulations (around 2000). The Swedish implementation was based on a limited version called eBones. eBones was based on the exported MIT Bones release (stripped of both the encryption functions and the calls to them) based on version Kerberos 4 patch-level 9. In 2005, the

Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...

(IETF) Kerberos working group updated specifications. Updates included: * Encryption and Checksum Specifications (RFC 3961). *

Advanced Encryption Standard The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a variant ...

(AES) Encryption for Kerberos 5 (RFC 3962). * A new edition of the Kerberos V5 specification "The Kerberos Network Authentication Service (V5)" (RFC 4120). This version obsoletes RFC 1510, clarifies aspects of the protocol and intended use in a more detailed and clearer explanation. * A new edition of the

Generic Security Services Application Program Interface The Generic Security Service Application Program Interface (GSSAPI, also GSS-API) is an application programming interface for programs to access security services. The GSSAPI is an IETF standard that addresses the problem of many similar but inc ...

(GSS-API) specification "The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2" (RFC 4121). MIT makes an implementation of Kerberos freely available, under copyright permissions similar to those used for

BSD The Berkeley Software Distribution or Berkeley Standard Distribution (BSD) is a discontinued operating system based on Research Unix, developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berk ...

. In 2007, MIT formed the Kerberos Consortium to foster continued development. Founding sponsors include vendors such as

Oracle An oracle is a person or agency considered to provide wise and insightful counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. As such, it is a form of divination. Description The word '' ...

Apple Inc. Apple Inc. is an American multinational technology company headquartered in Cupertino, California, United States. Apple is the largest technology company by revenue (totaling in 2021) and, as of June 2022, is the world's biggest company ...

Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

, Centrify Corporation and TeamF1 Inc., and academic institutions such as the

in Sweden, Stanford University, MIT, and vendors such as CyberSafe offering commercially supported versions.

Microsoft Windows

Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...

and later versions use Kerberos as their default authentication method. Some

additions to the Kerberos suite of protocols are documented in RFC 3244 "Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols". RFC 4757 documents Microsoft's use of the

RC4 In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...

cipher. While Microsoft uses and extends the Kerberos protocol, it does not use the MIT software. Kerberos is used as the preferred authentication method: in general, joining a client to a Windows domain means enabling Kerberos as the default protocol for authentications from that client to services in the Windows domain and all domains with trust relationships to that domain. In contrast, when either client or server or both are not joined to a domain (or not part of the same trusted domain environment), Windows will instead use

NTLM In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft L ...

for authentication between client and server. Internet web applications can enforce Kerberos as an authentication method for domain-joined clients by using APIs provided under SSPI. Microsoft Windows and Windows Server include , a

command-line A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...

utility that can be used to read, modify, or delete the Service Principal Names (SPN) for an Active Directory service account.

Unix and other operating systems

Many Unix-like operating systems, including

FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...

OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...

, Apple's

macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...

Red Hat Enterprise Linux Red Hat Enterprise Linux (RHEL) is a commercial open-source Linux distribution developed by Red Hat for the commercial market. Red Hat Enterprise Linux is released in server versions for x86-64, Power ISA, ARM64, and IBM Z and a desktop version ...

Solaris Solaris may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Solaris'' (1972 film), directed by ...

, IBM's

AIX Aix or AIX may refer to: Computing * AIX, a line of IBM computer operating systems *An Alternate Index, for a Virtual Storage Access Method Key Sequenced Data Set * Athens Internet Exchange, a European Internet exchange point Places Belgi ...

HP-UX HP-UX (from "Hewlett Packard Unix") is Hewlett Packard Enterprise's proprietary implementation of the Unix operating system, based on Unix System V (initially System III) and first released in 1984. Current versions support HPE Integrity Ser ...

and others, include software for Kerberos authentication of users or services. A variety of non-Unix like operating systems such as

z/OS z/OS is a 64-bit operating system for IBM z/Architecture mainframes, introduced by IBM in October 2000. It derives from and is the successor to OS/390, which in turn was preceded by a string of MVS versions.Starting with the earliest: * O ...

IBM i IBM i (the ''i'' standing for ''integrated'') is an operating system developed by IBM for IBM Power Systems. It was originally released in 1988 as OS/400, as the sole operating system of the IBM AS/400 line of systems. It was renamed to i5/OS in ...

and

OpenVMS OpenVMS, often referred to as just VMS, is a multi-user, multiprocessing and virtual memory-based operating system. It is designed to support time-sharing, batch processing, transaction processing and workstation applications. Customers using Ope ...

also feature Kerberos support. Embedded implementation of the Kerberos V authentication protocol for client agents and network services running on embedded platforms is also available from companies.

Protocol

Description

The client authenticates itself to the Authentication Server (AS) which forwards the username to a

key distribution center {{cleanup, date=November 2011 In cryptography, a key distribution center (KDC) is part of a cryptosystem intended to reduce the risks inherent in exchanging keys. KDCs often operate in systems within which some users may have permission to use cer ...

(KDC). The KDC issues a ticket-granting ticket (TGT), which is time stamped and encrypts it using the ticket-granting service's (TGS) secret key and returns the encrypted result to the user's workstation. This is done infrequently, typically at user logon; the TGT expires at some point although it may be transparently renewed by the user's session manager while they are logged in. When the client needs to communicate with a service on another node (a "principal", in Kerberos parlance), the client sends the TGT to the TGS, which usually shares the same host as the KDC. The service must have already been registered with the TGS with a Service Principal Name (SPN). The client uses the SPN to request access to this service. After verifying that the TGT is valid and that the user is permitted to access the requested service, the TGS issues ticket and session keys to the client. The client then sends the ticket to the service server (SS) along with its service request. Kerberos protocol

The protocol is described in detail below.

User Client-based Login without Kerberos

# A user enters a username and password on the client machine(s). Other credential mechanisms like pkinit (RFC 4556) allow for the use of public keys in place of a password. The client transforms the password into the key of a symmetric cipher. This either uses the built-in key scheduling, or a one-way hash, depending on the cipher-suite used. #The server receives the username and symmetric cipher and compares it with the data from database. Login was a success if the cipher matches the cipher that is stored for the user.

Client Authentication

# The client sends a

cleartext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...

message of the user ID to the AS (Authentication Server) requesting services on behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.) # The AS checks to see whether the client is in its database. If it is, the AS generates the secret key by hashing the password of the user found at the database (e.g.,

Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralize ...

in Windows Server) and sends back the following two messages to the client: #* Message A: ''Client/TGS Session Key'' encrypted using the secret key of the client/user. #* Message B: ''Ticket-Granting-Ticket'' (TGT, which includes the client ID, client

network address A network address is an identifier for a node or host on a telecommunications network. Network addresses are designed to be unique identifiers across the network, although some networks allow for local, private addresses, or locally administere ...

, ticket validity period, and the ''Client/TGS Session Key'') encrypted using the secret key of the TGS. # Once the client receives messages A and B, it attempts to decrypt message A with the secret key generated from the password entered by the user. If the user entered password does not match the password in the AS database, the client's secret key will be different and thus unable to decrypt message A. With a valid password and secret key the client decrypts message A to obtain the ''Client/TGS Session Key''. This session key is used for further communications with the TGS. (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS.

Client Service Authorization

# When requesting services, the client sends the following messages to the TGS: #* Message C: Composed of the message B (the encrypted TGT using the TGS secret key) and the ID of the requested service. #* Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the ''Client/TGS Session Key''. # Upon receiving messages C and D, the TGS retrieves message B out of message C. It decrypts message B using the TGS secret key. This gives it the ''Client/TGS Session Key'' and the client ID (both are in the TGT). Using this ''Client/TGS Session Key'', the TGS decrypts message D (Authenticator) and compares the client IDs from messages B and D; if they match, the server sends the following two messages to the client: #* Message E: ''Client-to-server ticket'' (which includes the client ID, client network address, validity period, and ''Client/Server Session Key'') encrypted using the service's secret key. #* Message F: ''Client/Server Session Key'' encrypted with the ''Client/TGS Session Key''.

Client Service Request

# Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the Service Server (SS). The client connects to the SS and sends the following two messages: #* Message E: From the previous step (the ''Client-to-server ticket'', encrypted using service's secret key). #* Message G: A new Authenticator, which includes the client ID, timestamp and is encrypted using ''Client/Server Session Key''. # The SS decrypts the ticket (message E) using its own secret key to retrieve the ''Client/Server Session Key''. Using the sessions key, SS decrypts the Authenticator and compares client ID from messages E and G, if they match server sends the following message to the client to confirm its true identity and willingness to serve the client: #* Message H: The timestamp found in client's Authenticator (plus 1 in version 4, but not necessary in version 5), encrypted using the ''Client/Server Session Key''. # The client decrypts the confirmation (message H) using the ''Client/Server Session Key'' and checks whether the timestamp is correct. If so, then the client can trust the server and can start issuing service requests to the server. # The server provides the requested services to the client.

Drawbacks and limitations

* Kerberos has strict time requirements, which means that the clocks of the involved hosts must be synchronized within configured limits. The tickets have a time availability period, and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuratio
per MIT
requires that clock times be no more than five minutes apart. In practice,

Network Time Protocol The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable- latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in c ...

daemons are usually used to keep the host clocks synchronized. Note that some servers (Microsoft's implementation being one of them) may return a KRB_AP_ERR_SKEW result containing the encrypted server time if both clocks have an offset greater than the configured maximum value. In that case, the client could retry by calculating the time using the provided server time to find the offset. This behavior is documented i
RFC 4430
* The administration protocol is not standardized and differs between server implementations. Password changes are described in RFC 3244. * In case of symmetric cryptography adoption (Kerberos can work using symmetric or asymmetric (public-key) cryptography), since all authentications are controlled by a centralized

(KDC), compromise of this authentication infrastructure will allow an attacker to impersonate any user. * Each network service that requires a different host name will need its own set of Kerberos keys. This complicates virtual hosting and clusters. * Kerberos requires user accounts and services to have a trusted relationship to the Kerberos token server. * The required client trust makes creating staged environments (e.g., separate domains for test environment, pre-production environment and production environment) difficult: Either domain trust relationships need to be created that prevent a strict separation of environment domains, or additional user clients need to be provided for each environment.

Vulnerabilities

The

(DES) cipher can be used in combination with Kerberos, but is no longer an Internet standard because it is weak. Security vulnerabilities exist in many legacy products that implement Kerberos because they have not been updated to use newer ciphers like AES instead of DES. In November 2014, Microsoft released a patch (MS14-068) to rectify an exploitable vulnerability in Windows implementation of the Kerberos Key Distribution Center (KDC). The vulnerability purportedly allows users to "elevate" (and abuse) their privileges, up to Domain level.

References

;General * * * * * * * * ;RFCs * The Kerberos Network Authentication Service (V5) bsolete* The Kerberos Version 5 GSS-API Mechanism * Encryption and Checksum Specifications for Kerberos 5 * Advanced Encryption Standard (AES) Encryption for Kerberos 5 * The Kerberos Network Authentication Service (V5) urrent* The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 * Kerberos Cryptosystem Negotiation Extension * Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) * Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) * The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows bsolete* Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP * Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) * Problem Statement on the Cross-Realm Operation of Kerberos * Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy * Additional Kerberos Naming Constraints * Anonymity Support for Kerberos * A Generalized Framework for Kerberos Pre-Authentication * Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol * The Unencrypted Form of Kerberos 5 KRB-CRED Message * Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Channel Binding Hash Agility * One-Time Password (OTP) Pre-Authentication * Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos * Kerberos Options for DHCPv6 * Camellia Encryption for Kerberos 5 * Kerberos Principal Name Canonicalization and Cross-Realm Referrals * An Information Model for Kerberos Version 5 * AES Encryption with HMAC-SHA2 for Kerberos 5

External links

Kerberos Consortium

Kerberos page
at

MIT The Massachusetts Institute of Technology (MIT) is a private land-grant research university in Cambridge, Massachusetts. Established in 1861, MIT has played a key role in the development of modern technology and science, and is one of the m ...

website
Kerberos Working Group
at

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...

website
Kerberos Sequence Diagram

Heimdal/Kerberos implementation
{{DEFAULTSORT:Kerberos (Protocol) Authentication protocols Computer access control protocols Computer network security Key transport protocols Symmetric-key algorithms Massachusetts Institute of Technology software