Most people in the technology world have heard of Kerberos. Windows Active Directory domains use the Kerberos protocol to allow single sign-on access to network services.
Kerberos didn’t just appear on the scene one day. It evolved out of Project Athena, a huge technology effort in the 1980s by the Massachusetts Institute of Technology (MIT), IBM, and Digital Equipment Corporation to establish a secure and robust distributed computing environment for campuses.
While Project Athena services like Hesoid, X-Windows, Kerberos, and Zephyr still thrive at MIT, their use as a total solution has dwindled to niche usage. But important and useful technologies developed in programs like Project Athena often take on a life of their own. Beyond Project Athena, Kerberos has withstood the test of time and is a widely used security protocol in computer networks.
Guarding the Gates
Kerberos derives from the Greek mythological beast Cerberus, a terrible three-headed dog who guarded the gates of Hades to keep the dead from escaping. Hades wasn’t all bad and not everyone wanted to leave. After the judgment, the virtuous passed on to the beautiful and peaceful realm of Elysium for their happily ever after. The indifferent were sent to the fields of Asphodel which was mildly boring but tolerable. The evil were condemned to Tartarus, a dark place of horrible punishments. These are the ones who desperately wanted to escape but Cerberus stood in their way.
Much like its namesake, Kerberos was used in earlier Windows implementations as a guardian to request a TGT (ticket granting ticket) for the user. The user proved his identity by successfully decrypting the TGT using the password hash and returning evidence to a key distribution center (KDC). In response, the KDC returned a ticket the user could present to access network services.
Modern Windows systems use two-factor smart card login built on top of the Kerberos protocol. Smart card login supports various credential providers like smart cards, username and password, and biometric sign-in.
Entering the Elysian Fields with Biometrics
VeridiumID acts as the biometric credential provider for smart card-based Windows login. When VeridiumAD authentication completes, it returns a Veridium identity token that asserts the identity of the person that authenticated. The VeridiumAD infrastructure includes a registration authority (RA) module to help in the issuance of certificates. The Windows credential provider (CP) sends the Veridium identity token to the RA which obtains a smart card-compatible certificate for the user by generating a certificate signing request and sending it to the PKI infrastructure. The Windows CP presents this certificate to Active Directory to authenticate and obtain a user session.
Kerberos might not be directly visible under the covers as it is in our depiction. But like Cerberus, it is there standing guard at the gates.