6.1 Kerberos

Kerberos is the protocol most often associated with the AAA framework. Kerberos was originally developed for Unix-based systems and is defined in RFC 1510. Kerberos is an authentication infrastructure used to ensure the identity of users and systems on a network. The current version of Kerberos is 5.0, and there are Kerberos clients for almost every operating system.

Kerberos relies on a combination of key encryption and cryptographic protocols to ensure the authentication of users. The process, outlined in Figure 6.2, is fairly simple; a network administrator sets up an authentication server, known as a Ticket Granting Server (TGS). One or more realms (usually domains) are created on the TCG. A user requesting access to a particular realm must get a ticket from the TGS, by authenticating to the server.

When a user authenticates against the TGS a special ticket is issued. This Ticket Granting Ticket (TGT), is used anytime that user needs access to a service or device in the realm that requires authentication. The user presents the TGT to the TGS, which issues a ticket for that particular device or service.

The user only needs to authenticate against the TGS one time during a session. The rest of the time, the TGS uses the information in the TGT to grant access. Kerberos creates a key based on the user's password to encrypt the TGT packet using the data encryption standard (DES). ^[1] The user decrypts the packet and uses the ticket to gain access to the desired service or device.

^[1] Modern versions of Kerberos actually use 3DES encryption.

Kerberos Version 4.0 was found to have several security flaws, especially in the area of password authentication. It was especially susceptible to dictionary attacks as it only used a password-based, one-way hash function to generate encryption. Kerberos 5.0 avoids this problem by using the password and the realm to generate the encryption. This makes it much more difficult for an attacker to launch a password attack.