Kerberos 

provides a centralized authentication server whose function is to

authenticate users to servers and servers to users. In Kerberos Authentication
server and database is used for client authentication. Kerberos runs as a third-
party trusted server known as the Key Distribution Center (KDC). Each user and
service on the network is a principal. 
The main components of Kerberos are: 
 
 Authentication Server (AS): 
The Authentication Server performs the initial authentication and ticket for
Ticket Granting Service. 
 
 Database: 
The Authentication Server verifies the access rights of users in the database. 
 
 Ticket Granting Server (TGS): 
The Ticket Granting Server issues the ticket for the Server 
 
Kerberos Overview: 
 Step-1: 
User login and request services on the host. Thus user requests for ticket-
granting service. 
 
 Step-2: 
Authentication Server verifies user’s access right using database and then
gives ticket-granting-ticket and session key. Results are encrypted using the
Password of the user. 
 
Step-3: 
The decryption of the message is done using the password then send the ticket to
Ticket Granting Server. The Ticket contains authenticators like user names and
network addresses. 

Step-4: 
Ticket Granting Server decrypts the ticket sent by User and authenticator verifies
the request then creates the ticket for requesting services from the Server. 
 
 

 
 Step-5: 
The user sends the Ticket and Authenticator to the Server. 
 
 Step-6: 
The server verifies the Ticket and authenticators then generate access to the
service. After this User can access the services. 
 Kerberos Limitations

 Each network service must be modified individually  for use with Kerberos
 It doesn’t work well in a timeshare environment
 Secured Kerberos Server
 Requires an always-on Kerberos server
 Stores all passwords are encrypted with a single key
 Assumes workstations are secure
 May result in cascading loss of trust.
 Scalability
Kerberos Authentication
Authentication is the process of verifying the identity of a user or information
so that the receiver can ensure that the message has been sent from a genuine
source or not. 
Kerberos is a Network Authentication Protocol evolved at MIT, which uses an
encryption technique called symmetric key encryption and a key distribution
center.  Although Kerberos is ubiquitous in the digital world, it is widely used in
secure systems based on reliable testing and verification features. Kerberos is
used in Posix authentication, as well as in Active Directory, NFS, and Samba.
And it is another authentication system for SSH, POP, and SMTP.

Kerberos Protocol Flow:

This works on the Client-Server based Model. Kerberos makes use of symmetric
key cryptography and a key distribution center (KDC) to authenticate and verify
consumer identities. The symmetric key used is the same for encryption and
decryption. A KDC is a database of all the secret keys. A KDC entails 3 aspects:
 A ticket-granting server (TGS) that connects the consumer with the service
server (SS).
 A Kerberos database that shops the password and identification of all tested
users.
 An authentication server (AS) that plays the preliminary authentication.
Let’s say we have a user (Client) and We have a server(whose network services
we require). The User must be an Authorised User. 
 The user sends a message to KDC, requesting keys so that the user can
prove its authenticity and access the services of the Network.
 Now AS (Authentication server) in KDC will send the ticket back to the User.
The ticket will be in encrypted form.
 The user will decrypt the message and get the hash code.
 The hash code is again sent back to AS. Now AS will check for Authenticity.
 If the user is authorized, then AS gives a service ticket (Secret Key) to the
Ticket Granting Server.
 TGS gives it to the User.
 Using this Ticket, the client communicates with a server.
Advantages of Kerberos:

 Access Control: The Kerberos authentication protocol permits powerful

access control. Users advantage of a single point for track of all logins and
the enforcement of protection policies.
 
 Mutual Authentication: Kerberos authentication permits carrier structures
and customers to authenticate each other. During all steps of the process,
the user and the server will understand that the counterparts that they may
be interacting with are authentic.

 Limited Ticket Lifetime: Each ticket in Kerberos has timestamps and
lifelong data, and the period of authentication is managed through admins.
 
 Reusable Authentication: Kerberos authentication is durable and reusable.
Each user will effectively be tested through the system once.
 
 Security: Multiple secret keys, third-party authorization, and cryptography
make Kerberos a secure verification protocol. Passwords are not sent over
the networks, and secret keys are encrypted, making it hard for attackers to
impersonate users or services. 

 Performance: With respect to the Performance, Kerberos keeps track of

client information after verification. This means it can do better than NTLM,
especially on large farms. Also, Kerberos can transfer client information from
an end-to-end webserver to other background servers such as SQL Server.
 Password guessing attacks − Password guessing attacks are not solved by
Kerberos. If a user select a poor password, it is applicable for an attacker to
successfully mount an offline dictionary attack by constantly attempting to
decrypt messages acquired which are encrypted under a key changed from the
user's password. The goal is on designing a user authentication protocol that is
not affected to password guessing attacks. The main objective is to delete this
password guessing attack.
 KDC spoofing − This define an attack which based essentially on the capability
to spoof KDC responses. It is keeping in mind the Kerberos protocol definition,
spoofing KDC response should not be a security concern. Indeed, Kerberos has
been create to bear an untrusted network.
IP spoofing is something that appears on untrusted networks. Kerberos protocol
implements mutual authentication. End user's and server's identities required to
be proven. This provides protection against Man-in-the-Middle attacks.

 Compromise of the KDC Server − KDCs supports an encrypted database of

some principals/verifiers (i.e., users and servers) and their secret keys. If the
security of the KDC is compromised, the security of the whole network is
compromised even though the principal keys are saved in an encrypted form
using the master key; the master key itself is saved in the KDC.
An attacker can gain control of the whole network, can make or change any
principal‘s credentials. It can avoid such attack, supports the security of the KDC
and defined the access to KDC to limited personnel.

 Compromise of a verifier/server − If the security of the server is compromised,

some services on that server is compromised. The attacker will be capable to
impersonate some service running on the server and decrypt some
communication between the service and a client/principal. The security of the
services running on a server is based upon the security of the server. Security
measures of servers shall be proportional to cost of the services and resources
saved on that server.
X.509 Authntication Service
X.509 is a digital certificate that is built on top of a widely trusted standard
known as ITU or International Telecommunication Union X.509 standard, in
which the format of PKI certificates is defined. X.509 digital certificate is a
certificate-based authentication security framework that can be used for
providing secure transaction processing and private information. These are
primarily used for handling the security and identity in computer networking
and internet-based communications.

Working of X.509 Authentication Service Certificate:

The core of the X.509 authentication service is the public key certificate
connected to each user. These user certificates are assumed to be produced by
some trusted certification authority and positioned in the directory by the user
or the certified authority. These directory servers are only used for providing an
effortless reachable location for all users so that they can acquire certificates.
X.509 standard is built on an IDL known as ASN.1. With the help of Abstract
Syntax Notation, the X.509 certificate format uses an associated public and
private key pair for encrypting and decrypting a message.
Once an X.509 certificate is provided to a user by the certified authority, that
certificate is attached to it like an identity card. The chances of someone
stealing it or losing it are less, unlike other unsecured passwords. With the help
of this analogy, it is easier to imagine how this authentication works: the
certificate is basically presented like an identity at the resource that requires
authentication.
Format of X.509 Authentication Service Certificate:
Generally, the certificate includes the elements given below:
 Version number: It defines the X.509 version that concerns the certificate.
 Serial number: It is the unique number that the certified authority issues.
 Signature Algorithm Identifier: This is the algorithm that is used for
signing the certificate.
 Issuer name: Tells about the X.500 name of the certified authority which
signed and created the certificate.
 Period of Validity: It defines the period for which the certificate is valid.
 Subject Name: Tells about the name of the user to whom this certificate has
been issued.
 Subject’s public key information:  It defines the subject’s public key along
with an identifier of the algorithm for which this key is supposed to be used.
 Extension block: This field contains additional standard information.
 Signature: This field contains the hash code of all other fields which is
encrypted by the certified authority private key.
Applications of X.509 Authentication Service Certificate:
Many protocols depend on X.509 and it has many applications, some of them
are given below:
 Document signing and Digital signature
 Web server security with the help of Transport Layer Security (TLS)/Secure
Sockets Layer (SSL)  certificates
 Email certificates
 Code signing
 Secure Shell Protocol (SSH) keys
 Digital Identities