Delve into Kerberos fundamentals, exploring network security, authentication, authorization, and auditing. Gain hands-on practice in creating principals, requesting tickets, and mitigating protocol-specific attacks.

data.tar.gz

Kerberos is an essential part of any tech stack. It helps mitigate cyber attacks by providing strong authentication for client/server applications by using secret-key cryptography.

In this course, you will cover the basics of network security including: authentication, authorization, and auditing. You will also learn the fundamental concepts of Kerberos such as Key Distribution Center (KDC), Principals, and Ticketing.

Towards the end of this course, you will explore common attacks that are specific to the protocol and how Kerberos works to triage them. Lastly, you will get some hands-on practice with Kerberos where you’ll work to create a principal and request a Ticket-Granting Ticket from an Authentication Server.

By the time you’re done, you will have picked up a new in-demand skill that will allow you to better protect your data.

Kerberos for Beginners: Intro to Network Authentication Protocol

Now let's look at the exchanges that happen among the various players involved in a Kerberos system. Say you want to communicate with a service (the friend from the analogy in the previous lesson), but need to prove your identity to the Authentication Server first (the oracle from the analogy). Once you have proven your identity to the Authentication Server, you can request a ticket from the Ticket Granting Server (the postman) to communicate with the desired service (the friend from the analogy). The ordered list of interactions is as follows: 

1. The Authentication Server (AS) has a copy of the cryptographic key generated from your password and also the key for the Ticket Granting Service (TGS).


2. You send a message to the AS in clear text (without any encryption) requesting a ticket granting ticket (TGT). The message contains the identity of the client (you), the principal name of TGS, and the client's local time. The first message sent from the client to KDC is called __AS_REQ__. The AS has a copy of your cryptographic key (the red key from the analogy). It generates a random key (the green key from the analogy) to be used between you and the TGS for future communication, also known as the __session key__. This generated session key is encrypted using your key (the red key) and sent back to you. Additionally, the AS also creates a message for the TGS by placing the session (green) key and your (client) identity in a message and encrypting it with the (yellow) key of the TGS. This second message is intended for the    TGS and will be sent by the client (you) to the TGS when requesting a service ticket. This message is the Ticket Granting Ticket. The TGT also contains the client identity (you) that can't be tampered with since the TGT is encrypted with TGS's long-term key. Together, the two messages are known as __AS_REP__ and sent back to the client from the AS. From the analogy in the previous lesson, the TGT can be mapped to the box that was locked with the postman's key and sent to you by the oracle.


This lesson explains the interactions of the various entities in the Kerberos protocol.

Theory

Practice

Quiz

Protocol: Kerberos