Kerberos is an authentication protocol, but not an authorization one. This means that the protocol is responsible for identifying each user, through a password known only to him, but does not determine what resources or services that user can access or not.
The extensive use of Kerberos is in Active Directory. In this platform, Kerberos gives information about the privileges of each authenticated user.
But it is the responsibility of the services to verify that said privileges are sufficient to access its resources.
Also Read: What is Phishing? – Definition, Methods, and More
We can see several factors that are part of the Kerberos ecosystem in this section.
In this regard, it should be noted that Kerberos uses UDP or TCP as transport protocols, which transmit the information in clear, so it must provide the encryption layer itself.
The Kerberos protocol uses the UDP / 88 and TCP / 88 ports, which we find listening to the KDC (explained in the next section).
In Kerberos, there are several services responsible for performing user authentication. Among these are the following:
The KDC (Key Distribution Center), the Kerberos service responsible for distributing tickets to customers, installed on the DC (Domain Controller). Besides, it has the AS (Authentication Service), which is responsible for issuing the TGTs.
Several structures managed by Kerberos, such as tickets, are transmitted encrypted or signed.
This prevents them from being manipulated by third parties. The encryption keys used by Kerberos, in Active Directory, are as follows:
Kerberos handles structures called “Tickets,” which are delivered to authenticated users so that they can perform specific actions within the Kerberos domain. 2 types are distinguished:
The TGS (Ticket Granting Service) presents the ticket to a service to access its resources. And also, it encrypts with the corresponding service code.
The TGT (Ticket Granting Ticket) presents the ticket to the KDC to obtain the TGS. Also, it encrypts with the KDC password.
The PAC (Privilege Attribute Certificate) includes a structure in most tickets. This structure contains the user’s privileges and signs with the KDC key.
The services can verify the PAC by contacting the KDC, although this is not common. However, the verification of the PAC is only to verify your signature, without checking if the privileges are correct.
On the other hand, a customer can prevent the PAC from its inclusion by specifying it in the KERB-PA-PAC-REQUEST field of the ticket request.
The Kerberos protocol allows the communication of different agents through different types of messages.
Also Read: What is TAN [Transaction Authentication Number]? – Definition, and More
Also You can find more helpful resources at themarketingpilot