--terms=kerberos
Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
Kerberos is the default authentication protocol for Windows domains and many Unix-based systems. It was designed to solve the problem of securely authenticating users over insecure networks without sending passwords in plaintext.
### The Three Heads of Kerberos
Named after the mythical three-headed dog, Kerberos involves three parties:
1. The Client: The user or machine requesting access.
2. The Server: The service being accessed (e.g., a file server or database).
3. The Key Distribution Center (KDC): The trusted third party that issues identity tickets.
### How the Ticket System Works
Instead of a password, a client presents a Ticket to a service. The process generally follows these steps:
- AS Request: The client requests a Ticket-Granting Ticket (TGT) from the Authentication Service (AS).
- TGS Request: The client uses the TGT to request a Service Ticket from the Ticket-Granting Service (TGS) for a specific resource.
- Service Request: The client presents the Service Ticket to the real server, which verifies it using a shared secret with the KDC.
### Advantages of Kerberos
- Mutual Authentication: Both the client and the server verify each other's identity.
- Single Sign-On (SSO): Once a user has a TGT, they can request service tickets for many different resources without re-entering their password.
- Password Security: Passwords are never sent across the network; they are used only to derive keys for encrypting ticket requests.
graph LR
Center["--terms=kerberos"]:::main
Pre_authentication["authentication"]:::pre --> Center
click Pre_authentication "/terms/authentication"
Pre_active_directory["active-directory"]:::pre --> Center
click Pre_active_directory "/terms/active-directory"
Rel_active_directory["active-directory"]:::related -.-> Center
click Rel_active_directory "/terms/active-directory"
classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
linkStyle default stroke:#4b5563,stroke-width:2px;
🧠 Knowledge Check
🧒 Explain Like I'm 5
🎫 Kerberos is like a high-security theme park ticket system. Instead of showing your ID at every single ride, you show it once at the front gate to get a 'Master Ticket' (TGT). Then, you just show that Master Ticket to get 'Ride Coupons' (Service Tickets) for every ride you want to go on.
🤓 Expert Deep Dive
Kerberos relies on symmetric key cryptography and timestamps to prevent Replay Attacks. Every ticket has a limited lifetime and is encrypted using keys known only to the KDC and the target service. In a Windows environment, the KDC is integrated into the Domain Controller. One critical security consideration is the KRBTGT account, whose NTLM hash is used to sign all TGTs. If an attacker captures this hash, they can perform a Golden Ticket attack, allowing them to forge TGTs for any user and gain unlimited persistence. Modern hardening includes transitioning to Kerberos Armoring (FAST) and disabling older, weaker encryption types like RC4 in favor of AES-256.