Kerberos Process.pdf

Kerberos Authentication Process | Ramasamy, Yogeshwaran
1
Important points:
• Each interaction, you’ll receive two messages. One message you can decrypt, another
message you can not.
• The KDC stores all of the secret keys for user machines and services in its database.
Definitions:
✓ KDC – Key Distribution Center
✓ TGT – Ticket Granting Ticket
✓ TGS – Ticket Granting Server
✓ AS- Authentication server
Step 1 : Request for Ticket Granting Ticket – TGT, Client to AS
The client sends a message to the authentication server.
This message contains,
The Authentication Server will check client/username name the KDC database.
Attributes
▪ Username/ID;
▪ Service Name/ID;
▪ IP address;
▪ Requested lifetime of the TGT

2
Step 2: Server sends TGT back to the client
The AS generates a random key called the session key that is to be used between the client/user and
the TGS.
The authentication server then sends back two messages (1 (Message A, B)) to the client
Message -A is encrypted with the client secret key.
The message contains,
Message -B is the Ticket Granting Ticket (TGT), encrypted with the TGS secret key, that contains
Attributes
▪ TGS name
▪ timestamp
▪ lifetime
▪ TGS session key
Attributes
▪ your name
▪ the TGS name
▪ timestamp
▪ User IP address
▪ lifetime
▪ TGS session key (same as in message A).

3
The client now uses the client secret key (Password) to decrypt message A. This gives the client the
TGS Session key.
The client cannot decrypt with message B (the TGT) because client don't know the TGS secret key.
Step 3: Client request for TGS to access a service
The client now prepares two messages (2 (Message C, D)) to be send to the TGS
Message C is an unencrypted message that contains
Message B or the TGT (This message encrypted with TGS Secret Key)
Message D is called User Authenticator encrypted with the TGS session key and contains
Now Client sent these two messages along with TGT to TGS.
Attributes
Service Name/ID;
Requested lifetime for the Ticket
Attributes
Username/ID
timestamp

4

5
Step :4 TGS verifies request
The server first verifies if the requested service(Message-C) exists in the KDC.
If service exists in the KDC, The TGS now extract/read the content of the message B using TGS secret
key.
With this TGS session key, the server is now able to also decrypt the message D

6
The TGS now has Username/ID and a timestamp from message D and a name and timestamp from
message B. The sever will compare both name and timestamp in both values.
Step:5 Server generates service session key
If all checks OK, the server generates a random service session key. It will then send two messages
(3 (Message E, F)) to the client.
Message E: the service ticket that is encrypted with the service secret key and contains
Message F: encrypted with the TGS session key containing
Attributes
Username/ID
service name/ID
timestamp
User IP address
lifetime for Service Ticket
the service session key
Attributes
service name
timestamp
lifetime
service session key.

7
Step:6 Client receives service session key
Client already have TGS session key now decrypt message F.
the client has the TGS session key cached from previous steps it can now decrypt message F.
Client can’t decrypt the Service ticket (message E) because client don’t know the service secret key.

8
Step-7 Client contact service
The client generate the new authenticator message encrypted with the service session key. that
contains
Message G
Attributes
Username/ID
timestamp.

9
Now client send message to service. Message H: the previously received message E, that is still
encrypted with the service secret key
Step-8 Service confirms identity to the client
The service then decrypts the message H (which is the same as message E) with its service secret
key
using the service session key (that was stored in message H/E) to decrypt the authenticator message
G.

10
Step-9 Service verifies request
Compare the username from the authenticator (message G) with the username in the ticket
message H/E);
Compare the timestamp in message G with the timestamp in the ticket (H/E);
Check if the lifetime (message H/E) is expired.
If all checks OK. Service send an Authenticator message (Message-I) to client
Step-10 Service confirms identity to the client
Message I: authenticator message encrypted with the service session key that contains
Attributes
Service name/ID.
timestamp.

11
Step-11 Client receives confirmation
The client then receives the authenticator message (I) and decrypts it’s with the cache service
session key (obtained in step-6-refer)

12
Windows events that you need to log and monitor:
4768 : A TGT was requested
4769 : A service ticket was requested
4770 : a service ticket was renewed
4771 : pre-authentication failed
4772 : authentication ticket request failed
4773 : A service ticket request failed
Reference:
https://www.roguelynn.com/words/explain-like-im-5-kerberos/
https://www.vanimpe.eu/2017/05/26/kerberos-made-easy/
https://www.youtube.com/watch?v=5N242XcKAsM
Additional reference:
https://developpaper.com/ms14-068-cve-2014-6324-use-of-domain-control-rights-and-principle-
analysis/
https://www.secpulse.com/archives/32859.html
Additional Notes:

13

Kerberos Process.pdf

More Related Content

Similar to Kerberos Process.pdf

More from Yogeshwaran R

Recently uploaded

Kerberos Process.pdf