6

I recently got interested about Kerberos and Radius, and I already found some information about their difference. But, I got curious about how secure Kerberos actually is.

I see from the official website of Kerberos, that it is still highly maintained, and it has new version issued. Though, I have the following questions:

  1. How often is Kerberos used? I want to know how prevalent it is in practice.
  2. How secure is Kerberos?
  3. What are some security best practices when it comes to Kerberos? I mean how can one use it securely?
typos
  • 473
  • 1
  • 7
  • 11
  • 2
    "How secure" is impossible to answer without context or scope. How often it is used? I think you skipped doing any research on this one. Windows uses it by default. So, let's call it very prevalent. – schroeder Oct 09 '16 at 14:27
  • @schroeder Yes, I know some earlier Windows Server versions used to use it. But, I didn't know that it is still used. And how "secure", I mean are there any attacks or stuff that make the protocol completely (or partially) useless? – typos Oct 09 '16 at 14:36
  • can you update your question with these details? – schroeder Oct 09 '16 at 15:07
  • https://technet.microsoft.com/en-us/itpro/windows/keep-secure/kerberos-policy – schroeder Oct 09 '16 at 15:08

3 Answers3

4

  1. Kerberos is still used widely in Windows server and clients are included in all major OS's.

  2. I would have to speculate to answer this really. All I can say is that, for it to have survived so long, it can't be all bad. It is, of course, limited mainly to private networks since both the server and the clients all have to trust the Kerberos server. This makes it unsuited to web-based developments.

  3. Sorry, not a Kerberos expert so I can't really help here. All I can say is that a quick Google search brought up some promising articles.

Julian Knight
  • 7,092
  • 17
  • 23
  • This is a non-answer, especially for 2. – Michael Ströder Mar 30 '19 at 10:47
  • @MichaelStröder thanks for your response though 4 other people seem to disagree. Rather than a single negative comment that doesn't help anyone, perhaps it would be better if you explained - or even better, provided your own answer. The reason I provided an answer at all - even though it was less than I would have preferred - was that, at the time, nobody else had provided anything. Indeed no other answer was provided until this March, 2 1/2 years later. – Julian Knight Apr 09 '19 at 13:22
0

Quoting from the MIT Kerberos Consortium (Copyright Notice,© 2008):

"The Kerberos developers assumed that anyone could eavesdrop on network traffic, could claim to be any user, and could set up rogue servers capable of posing as any legitimate service, including the Kerberos services themselves. Encryption was used to prevent eavesdropping attacks, and session keys were introduced along with timestamps to prevent replay attacks."

To securely use Kerberos, standard security applies. Make sure passwords are strong and the Kerberos servers well protected by disabling services ideally providing Kerebos services only, and be sure to keep up with operating system and security updates. Firewalls and physical access to the server also ought to be considered. Finally, and assuming you use NTP (network time protocol), make sure NTP is secure on the kerboros server and clients.

Michael T
  • 11
  • 1
  • Welcome Michael. I feel your response does add a point about the attacker model, the designers of kerberos had in mind, but apart from that, your answer does not really answer the question. Maybe you could get more to the point? – Euphrasius von der Hummelwiese Mar 29 '19 at 06:26
  • Hi Euphrasius, thank you for welcoming me. I think you are right. The response is overly long. The next to ht last paraagraph really speaks to the question, so perhaps the rest can be dropped. It occurred to me after writing this last night, I should include that b/c kereboros is dependent that on time synchronization, steps have to be taken to secure NTP. – Michael T Mar 30 '19 at 17:18
-2

In earlier version of Windows Microsoft used NTLM authentication and then they added Kerberos authentication from Windows 2000 onward. NTLM is still supported and offered by newer Windows O/S.

In general Kereberos is most popular authentication for Directory Services, it is safe, but as with any authentication protocol it has its own security challenges. Attackers can steal Ticket Granting Ticket (TGT) and perform lateral movement resulting into remote execution, domain escalation, and even Domain Dominance. It might seem scary, but is true. You may see these attacks in my YouTube video for Azure ATP at https://www.youtube.com/watch?v=XarWjtK9ONM&t=2875s

Atul Raizada
  • 1
  • SO is not a platform to promote personal contents. Contents are accepted only if it strictly contributes to the answer. This doesn't answer the question properly – Anonymous Platypus Nov 21 '19 at 11:20