Kerberos and NTLM, two prominent encryption methods, differ fundamentally in their approach to authentication and security. While Kerberos employs a robust third-party authentication system with ticket-based access, NTLM relies on a challenge-response mechanism and hashing techniques. These essential differences impact their strengths, vulnerabilities, and suitability for various security scenarios.

This article examines both protocols, what they are, how they work, and which situations they’re best suited for. 

What Is an Encryption Protocol?

An encryption protocol is a set of rules and algorithms designed to secure digital communication and protect sensitive information from unauthorized access. Encryption protocols use cryptographic techniques to transform data into a secure and unreadable format, making it challenging for unauthorized parties to intercept or manipulate the information. 

These protocols play a crucial role in ensuring the confidentiality and integrity of data during transmission or storage, forming the foundation of secure communication in various computing environments. Encryption protocols are essential components of cybersecurity, providing a framework for secure data exchange and helping safeguard against potential cyber threats and data breaches.

What Is Kerberos and How Does It Work?

Kerberos is a network authentication protocol developed by the Massachusetts Institute of Technology (MIT) that facilitates secure communication and authentication in a distributed computing environment. Named after the three-headed dog that guards the entrance to the underworld in Greek mythology, Kerberos aims to guard against unauthorized access to network resources. 

Kerberos is commonly used in enterprise environments and integrated into various operating systems, including Windows and Unix-based systems, to establish secure authentication and communication within networks. 

Kerberos works via:

  • Mutual authentication: Both the client and the server authenticate each other, ensuring a secure and trusted connection.
  • A ticket-based system: Instead of transmitting sensitive credentials, Kerberos uses tickets. Upon successful authentication, a client receives a ticket from a key distribution center (KDC), which can be presented to access specific services without sending the password again.
  • Single sign-on (SSO): Kerberos supports single sign-on, allowing users to authenticate once and access multiple services without repeatedly entering credentials.
  • Third-party authentication: Kerberos uses a trusted third party (the KDC) for authentication, enhancing security in distributed systems.
  • Encrypted communication: Kerberos ensures that all communication, including the exchange of tickets, is encrypted, preventing eavesdropping and unauthorized access.

What Is NTLM and How Does It Work?

NTLM, which stands for NT LAN Manager, is a suite of security protocols developed by Microsoft to provide authentication, integrity, and confidentiality within Windows networks. NTLM is primarily used for user authentication on Windows-based systems and is succeeded by more secure protocols like Kerberos in modern environments. 

NTLM operates on a challenge-response mechanism and involves several steps:

  • Negotiation: When a client attempts to connect to a server, the two parties negotiate the NTLM protocol version and capabilities.
  • NTLM challenge: The server responds to the client with a random value known as the challenge. This challenge is a unique piece of data generated by the server for that specific authentication session.
  • Client response – NTLMv1: In NTLMv1, the client hashes the user’s password along with the challenge to create a response. This response is sent to the server.
  • Client response – NTLMv2: In NTLMv2, a more secure version, the client includes additional information such as the username and a timestamp along with the hashed password and challenge. This enhances the security of the authentication process.
  • Server verification: The server receives the client’s response and verifies it by hashing the stored password and the challenge using the same method as the client.
  • Session key generation: If the verification is successful, a session key is generated. This session key can be used to encrypt further communication between the client and server for the duration of that session.

While NTLM served as a standard authentication protocol in Windows environments, it has some security vulnerabilities, especially when compared to more modern protocols like Kerberos. NTLM’s reliance on hashing passwords and the absence of mutual authentication are among the factors that make it less secure than contemporary alternatives. 

Conclusion: Kerberos vs. NTLM

Kerberos and NTLM differ significantly in their approaches, features, and security mechanisms. Kerberos’s use of mutual authentication, single sign-on, tickets, and encryption makes it more secure than NTLM. With its robust security features, Kerberos is a much better fit for large-scale enterprise environments. NTLM, being susceptible to password hashing and salting, is generally only good for legacy systems or Windows-centric environments. 

Kerberos is only one part of a modern data storage solution. Pure Storage® FlashBlade®, which uses NFS v4.1 Kerberos, provides modern data storage that enables enterprises to easily share data across applications and workloads. 

Learn more about FlashBlade