The present invention, in some embodiments thereof, relates to enabling privileged client access to a target service, and, more specifically, but not exclusively, to enabling privileged client access to a target service in a Kerberos-enabled network.
The Kerberos protocol is well known and widely used for authentication in computer networks. Kerberos is aimed at a client-server model, and operates on the basis of ‘tickets’ which allow nodes communicating over a non-secure network to authenticate their identity to one another in a secure manner.
Kerberos authentication usually employs three parties—client, target service (also referred to as “principal” in Kerberos documentation) and a third party which enables the target service and, optionally the client, to authenticate each other. In Kerberos, the third party usually combines the functionalities of an Authentication Service (AS), a Key Distribution Center (KDC) and a Ticket-Granting Service (TGS).
Reference is now made to FIG. 1, which is a simplified diagram of the three-step Kerberos authentication process. Kerberos system 102 includes the functionalities of AS 102.1, KDC 102.2 and TGS 102.3.
A) Authentication Service Exchange—client 101 authenticates itself to AS 102.1, which forwards the username to KDC 102.2. KDC 102.2 then issues a Ticket Granting Ticket (TGT) to client 101. This step includes two main transactions:                i) KRB_AS_REQ—client 101 authenticates to the AS 102.1; and        ii) KRB_AS_REP—KDC 102.2 provides a TGT to client 101.        
B) Ticket-Granting Service (TGS) Exchange—client 101 requests KDC 102.2 to provide a service ticket (ST) for a specific target service. The client authenticates itself to the TGS with the TGT and receives the requested ST. This step includes two main transactions:                i) KRB_TGS_REQ—client 101 provides the TGT to TGS 102.3 and requests an ST; and        ii) KRB_TGS_REP—TGS 102.3 provides an ST to client 101.        
C) Client/Server (CS) Exchange—client 101 sends the ST to target service 103 and target service 103 grants access. Two main steps are:                i) KRB_AP_REQ—client 101 sends the access request, including the ST, to target service 103; and        ii) KRB_AP_REP—used for authenticating target service 103 to client 101 (optional).        
In summary, client 101 provides authentication credentials to Kerberos system 103 and after a multi-step interaction receives an ST from Kerberos system 103. The ST authenticates client 101 to target service 103, thereby enabling client 101 to access the target service. One disadvantage of the Kerberos system is that the client machines are vulnerable to attackers who may hijack the client credentials and thus gain access to the target system.