25ᵗʰ Nov 2024

Introduction

Authentication is the cornerstone of modern cybersecurity. In this blog we see various authentication protocols, with a special focus on Kerberos, while covering other crucial protocols used in today's enterprise and web environments.

Kerberos Authentication

What is Kerberos?

Kerberos, named after the three-headed dog of Greek mythology, is a network authentication protocol developed by MIT that provides strong security through ticket-based authentication. It is designed to provide secure authentication in a distributed network environment.

Key Components

• Key Distribution Center (KDC)
  • Authentication Server (AS)
  • Ticket Granting Server(TGS)
  • Database (Stored User Credentials)
• Ticket Granting Ticket (TGT) generated by AS
  • Client Identity and Authorization data
  • Client-TGS Session key
  • Timestamp and Lifetime of TGT
  • TGS Information
• Service Ticket
  • Client Identity and Authorization data
  • Client-Service Session Key
  • Timestamp and Lifetime of Service Ticket
  • Service Server Identity
  • Other authentication metadata
• Session Keys - Used to created Secure communication
• Authenticator
  • Client identity
  • Timestamp
  • Client’s IP address or Session-specific data

How Kerberos Works

Client Request to Authentication Server for TGT

1. User(Client) enters credentials to Access File Server(Service Server) and User App send request to Authentication Server with User credentials and hashed password, Client IP which all are with encrypted Client Secret key.

2. Authentication Server decrypt with request and hashed password verifies user identity with Database(Active Directory) and Generate TGT encrypted with TGS secret Key and Client-TGS Session Key which used to create protected session with client to TGS and encrypted Client Secret Key and Send back these two messages (TGT and Client-TGS session Key) to client.

   NOTE :- Client-TGS session Key sent by Authentication Server present in both message one in TGT which encrypted with TGS's secret Key and in Second messaged Client-TGS session Key encrypted with Client's session key.

Client Receive Service Ticket from TGS

3. Client Decrypt Client-TGS Session Key and Send 3 piece of Information to TGS which are Encrypted TGT, Resource detail and Authenticator encrypted by Client-TGS Session Key.
4. TGS decrypt TGT using his secret key and generate Service Ticket (Contain Client-Service Session Key) which is encrypted with Service Server's Secret Key and Client-Service Session key with is encrypted with Client-TGS Session Key and Send these information to client.

Client Establish Session with Service Server

5. Client Decrypt Client-Service Session Key using Client-TGS Session Key and Send Service Ticket (As a proof of Authentication) and Client-Service Session Key encrypted with Authenticator.
6. Service Server(File Server) decrypt the Service Ticket which reveals the Client-Service Session Key using that Decrypt the Authenticator to validate timestamp and client identity. After Validating information establish session client and Service server resources.

Advantages of Kerberos

• Mutual authentication between client and server
• Single Sign-On (SSO) capability
• Delegated authentication support via KDC
• Time-stamped tickets prevent replay attacks
• Stronger encryption methods
• Scalable for enterprise environments

Other Authentication Protocols

NTLM (New Technology LAN Manager)

• Used for: Authentication in Windows-based networks and applications
• Key features:
  • Challenge-response mechanism
  • No password transmission
  • No Mutual Authentication
  • Limited Security Features
• Best for:
  • Legacy Systems
  • Non-Domain Authentication
• Implementation Scenarios:
  • Windows Workgroup Environments
  • When Kerberos is not available
  • Legacy Application Support
  • Mixed-Environment Networks

SSL/TLS Authentication

• Used for: Secure communication over networks
• Key features:
  • Certificate-based authentication
  • Public key infrastructure (PKI)
  • Perfect forward secrecy
• Best for:
  • HTTPS websites
  • Secure email (SMTP/IMAP/POP3)
  • VPN connections
• Implementation scenarios:
  • E-commerce platforms
  • Banking applications
  • API security

SSH (Secure Shell)

• Used for: Remote system access and file transfer
• Key features:
  • Public key authentication
  • Password authentication
  • Host-based authentication
• Best for:
  • Remote server management
  • Secure file transfers
  • DevOps operations
• Common in:
  • Linux/Unix environments
  • Cloud infrastructure management
  • Automated deployments

SAML (Security Assertion Markup Language)

• Used for: Enterprise SSO
• Key features:
  • XML-based protocol
  • Identity federation
  • Cross-domain authentication
• Best for:
  • Enterprise applications
  • Cloud service access
  • B2B integrations

OAuth 2.0

• Used for: Authorization framework
• Key features:
  • Token-based authentication
  • Scoped access
  • Resource delegation
• Best for:
  • API authentication
  • Mobile applications
  • Third-party integrations

OpenID Connect

• Used for: Identity layer on OAuth 2.0
• Key features:
  • JWT tokens
  • UserInfo endpoint
  • Standard claims
• Best for:
  • Consumer applications
  • Social login
  • Mobile apps

RADIUS (Remote Authentication Dial-In User Service)

• Used for: Network access authentication
• Key features:
  • AAA framework (Authentication, Authorization, Accounting)
  • Centralized authentication
  • Network policy enforcement
• Best for:
  • VPN access
  • Network device authentication
  • WiFi authentication

LDAP (Lightweight Directory Access Protocol)

• Used for: Directory service authentication
• Key features:
  • Hierarchical directory structure
  • Centralized user management
  • Flexible schema
• Best for:
  • Enterprise user management
  • Application authentication
  • Directory services

When to Use Each Protocol?

Enterprise Authentication

• Kerberos: Modern Windows domains, enterprise SSO
• NTLM: Legacy Windows systems, workgroup environments
• LDAP: Directory services, user management
• RADIUS: Network access control, VPN authentication

Web and API Security

• SSL/TLS: All secure web communications
• OAuth 2.0: API authorization, mobile apps
• OpenID Connect: Consumer identity, social login
• SAML: Enterprise SSO, B2B integration

System Administration

• SSH: Remote server access, secure file transfer
• Certificate-based: Infrastructure security, service authentication
• MFA: Additional security layer for any protocol