Secfense Supports Kerberos Authentication

what-is-kerberos-authentication-protocol

Kerberos Authentication Protocol

You have a project. You need to connect an application over an insecure network. How should you do it if you don’t want to put application security at risk? One of the solutions that is pretty popular in big organizations is a Kerberos authentication protocol.

Kerberos provides secure authentication to services over an insecure network. Passwords are never sent across the network, encryption keys are never directly exchanged, and the user and the application can authenticate one another.

Many organizations use Kerberos as the base for single sign-on.

Kerberos – Definition of the components

A Kerberos realm is a domain in which a Kerberos authentication server can authenticate a user to a service. You can have multiple realms and you can interconnect them. Within a realm, there are principals.

A principal is a unique identity that is either a user or a service (e.g. application).

A client is a process that accesses a service on behalf of a user. It’s possible to have multiple clients or users within one realm. Basically, these are users that want to access an application.

A service is a resource provided to a client. It can be a file server or an application that a user wants to access. It’s possible to have multiple services that clients can access.

The key distribution center (KDC), is the core of Kerberos, the KDC creates tickets and generates temporary session keys that allow a user to securely authenticate to a service. The KDC stores all the secret symmetric keys for users and services.

There are two servers within the KDC, the authentication server, and the ticket-granting server. The authentication server confirms that a known user is making an access request and creates Ticket-Granting Tickets (TGT). The ticket-granting server confirms that a user is making an access request to a known service and issues service tickets.

There’s a huge number of messages sent back and forth between the user, authentication server, ticket-granting server, and the service. At least two messages are sent at almost every step. Some messages are sent in plain text while some are encrypted with a symmetric key.

There are two important types of messages that are worth stressing out.

Authenticators are records, containing information that can be shown to have been recently generated using the session key known only to the client and the server. Authenticators allow the user to authenticate to the service and the service to authenticate to the user.

Tickets contain most of the information that needs to be passed. The client’s identities,  Service IDs, session keys, timestamps, time to live, etc. All encrypted using a server’s secret key.

Secfense Supports Kerberos Authentication Now
Secfense Supports Kerberos Authentication Now

Kerberos KDC

Kerberos KDC and the communication between a user and a service

  • First, the user sends an unencrypted message to the authentication server basically asking for permission to access some service.
  • The authentication service validates that the request is coming from a known user and generates a ticket-granting ticket (TGT).
  • The TGT is then sent back to the user, along with another message encrypted with the user’s secret key.
  • The user decrypts the message with his or her secret key and then creates some new messages and sends them along with the TGT onto the ticket-granting service.
  • The ticket-granting service decrypts the ticket-granting ticket, performs some validation, and generates a service ticket.
  • The service ticket, along with another message, is sent back to the user.
  • The user decrypts the message, creates an authenticator message, and sends the user authenticator and the service ticket to the service.
  • The service does its own decryption, validation and creates its own final authenticator message.
  • This final authenticator message is sent back to the user. All of these messages allow the user and the server to mutually authenticate each other and securely distribute a symmetric service session key, which allows the user and the service to communicate authentication information securely.
Kerberos KDC and the communication between a user and a service
Kerberos KDC and the communication between a user and a service

Secfense supports Kerberos Authentication

Supporting Kerberos Authentication is something that we have been working on lately. And we are happy to announce that the User Access Security Broker from Secfense now supports Kerberos Authentication as well.

The User Access Security Broker is the core product from Secfense that is meant to deliver any strong authentication method to any application. What differentiates Secfense broker is that strong authentication mechanisms can be added to any application without making any changes in the application code. In this way security admins in big organizations can take advantage of Secfense technology and deploy:

  • SMS Authentication
  • The Time-based One-time Password (TOTP) Authentication
  • Universal 2nd Factor (U2F) open authentication standard
  • FIDO2 Web Authentication (WebAuthn)
  • and now also Kerberos Authentication

Secfense priority is to become a go-to place when it comes to authentication mechanisms deployment. Our mission is to make it possible for organizations and security administrators to easily strengthen authentication security within the entire company.

The main difference between deploying strong authentication mechanisms with Secfense compared with traditional installations is as follows:

  • Secfense technology never interferes with protected application code. It works separately and doesn’t touch the application code leaving the application with full independence. The deployment is non-invasive and easy to perform.
  • The User Access Security Broker is not tied to any authentication method. This means that security admins and organizations that decide to use Secfense broker have full flexibility of which authentication method to chose. After the Secfense tool is deployed is for the security admin to decide which method should be used on which application and which user group.
  • The first two characteristics lead to a third one which is scalability. Since the User Access Security Broker works independently of the application and the deployment is easy and fast it can be easily repeated to any number of apps.

This basically means that organizations that decide to take advantage of Secfense technology can use any strong authentication mechanism and deploy it on all applications and all users within the company.

What else you should know about Kerberos Authentication?

Kerberos is extensively used when it’s necessary to enable single sign-on capabilities within an organization. One of the reasons why Kerberos is so popular is because it has been built into MS Windows for over 20 years. Since Windows 2000 operating system Kerberos was set to be the default authentication package.

Kerberos is also natively integrated and supported by plenty of other major operating systems, including Linux and Unix. There are presently two major versions of Kerberos broadly deployed.

Version four was published in the late 80s and has a major security limitation. It only supports DES, the data encryption standard as the encryption algorithm it uses. DES only supports a 56-bit key, which is not a great option in today’s reality.

Version five is not very recent either. It was first published in 1993 with a revision in 2005. One of the important security improvements in version five is that it now supports various types of encryption and typically the advanced encryption standard AES is used as the encryption algorithm (way better option than DES, its ancestor).

Another significant limitation of both versions of Kerberos is that they only support symmetric cryptography. This leads to major key scaling and distribution problems, especially in a large realm with hundreds or even thousands of systems. The number of keys required grows rapidly, and it can be very challenging to securely distribute all of these keys to the services and the KDC.


There are configurations and implementations of Kerberos that have been made to work with symmetric or public-key cryptography to solve the symmetric key problems. But this is not the default standard version of Kerberos that is natively supported and many OS is in applications.

Deploying Kerberos Authentication with Secfense

If you are interested in checking how Kerberos deployment could look like in your organization or you would like to see how to scale strong authentication mechanisms in your organization you can go ahead and schedule a discovery call with us. On a call, we can show you a live deployment of strong authentication on a web application and explore the best options of strong authentication for your specific scenario.  


Disclaimer: The information about Kerberos authentication was heavily based on an amazing walk-through done by Rob Witcher from the Destination Certification Youtube channel. If you want to learn more about Kerberos or CISSP & CCSP Certification content you should visit and subscribe to
Rob’s Youtube channel here.

Antoni takes care of all the marketing content that comes from Secfense. Read More

Testimonials

We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk

CEO

Sandis

We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director

RKKVC

Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera

Partner

Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT

MPEC S.A.