LLMpediaThe first transparent, open encyclopedia generated by LLMs

Kerberos (protocol)

Generated by DeepSeek V3.2
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: MIT Computer Science and Artificial Intelligence Laboratory Hop 3
Expansion Funnel Raw 61 → Dedup 38 → NER 12 → Enqueued 11
1. Extracted61
2. After dedup38 (None)
3. After NER12 (None)
Rejected: 26 (not NE: 26)
4. Enqueued11 (None)
Similarity rejected: 1
Kerberos (protocol)
NameKerberos
DeveloperMassachusetts Institute of Technology
Introduced0 1988
Osi layerApplication layer
Ports88 (TCP, UDP)
RfcsRFC 4120, RFC 6649

Kerberos (protocol). Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It was developed as part of Project Athena at the Massachusetts Institute of Technology during the 1980s and is now a core component of many enterprise security infrastructures. The protocol is named after Kerberos, the three-headed dog from Greek mythology, reflecting its role as a guardian of network gates. Its design prevents eavesdropping and replay attacks and ensures the integrity and confidentiality of authentication data.

Overview

The primary goal of the protocol is to provide strong authentication for client-server applications by using symmetric-key cryptography, with a trusted third party known as the Key Distribution Center (KDC). The KDC, typically comprised of an Authentication Server and a Ticket-Granting Server, maintains a database of secret keys for all principals (users and services) within a realm. A fundamental concept is the Ticket-Granting Ticket (TGT), which a client obtains after initial authentication and uses to request service tickets without repeatedly entering credentials. This system is foundational to the security architecture of major operating systems like Microsoft Windows, where it is the default authentication method for Active Directory domains, and various Unix-like environments.

Protocol details

The protocol operates through a series of exchanges, primarily defined in RFC 4120. The initial Authentication Service Exchange involves the client authenticating to the Authentication Server and receiving a TGT encrypted with the Ticket-Granting Service's secret key. Subsequently, in the Ticket-Granting Service Exchange, the client presents this TGT to the Ticket-Granting Server to request a service ticket for a specific target server, such as a file server or mail server. This service ticket, along with an authenticator, is then presented to the target server in the Client/Server Exchange. Critical to the process are timestamps and the use of cryptographic nonces to prevent replay, with all tickets containing the client's identity, a session key, a timestamp, and lifetime information. The protocol supports mutual authentication, allowing the client to verify the server's identity as well.

Security considerations

While robust, the protocol's security relies heavily on the protection of the KDC and the secrecy of long-term keys. A compromised KDC represents a single point of failure for the entire realm. The use of symmetric-key cryptography means password-guessing attacks against weak user passwords are a persistent threat, though techniques like pre-authentication can mitigate this. The protocol is also vulnerable to offline brute-force attacks on captured ticket data. Over its history, weaknesses have been addressed, such as the move away from the vulnerable Data Encryption Standard (DES) cipher to stronger algorithms like Advanced Encryption Standard (AES), as specified in RFC 3962. Concerns also exist around Kerberos delegation, which if misconfigured can lead to privilege escalation attacks.

Implementations

The original implementation from the Massachusetts Institute of Technology remains a widely used reference. Microsoft integrated the protocol as the core authentication mechanism for Windows 2000 and all subsequent Active Directory domains. In the Unix and Linux world, the Heimdal and MIT Kerberos implementations are prevalent, providing libraries and utilities for integrating services like the Apache HTTP Server and OpenSSH. Other significant implementations include those within the Apple macOS ecosystem and for Java applications via the Java Authentication and Authorization Service (JAAS). Many cloud computing platforms and single sign-on solutions also incorporate Kerberos-compatible technologies.

History and development

The protocol was created in the late 1980s by Steve Miller and Clifford Neuman as part of Project Athena, a joint project between Massachusetts Institute of Technology, Digital Equipment Corporation, and IBM. Version 4 was released in 1988, but it had limitations, including network address dependence and encryption system restrictions. These issues led to the development of Version 5, detailed in RFC 1510 in 1993, which was later updated by RFC 4120 in 2005. Its adoption was significantly accelerated by its integration into Microsoft Windows NT 4.0 and the subsequent Active Directory service. The protocol has been the subject of continuous scrutiny by the Internet Engineering Task Force and the security community, leading to extensions for public key cryptography, as in PKINIT, and ongoing work to address evolving cryptographic threats.

Category:Authentication protocols Category:Application layer protocols Category:Network security Category:Massachusetts Institute of Technology