❤️ Soutenir le projet
FR
EN English UK Українська PL Polski ES Español DE Deutsch FR Français PT Português TR Türkçe JA 日本語 KO 한국어 RU Русский

Kerberos

Kerberos est un protocole d'authentification réseau basé sur des tickets, permettant aux nœuds de prouver leur identité de manière sécurisée.

🌐 Termes dans d'autres langues:
English Deutsch Español Français 日本語 한국어 Polski Português Русский Türkçe Українська
Contenu en attente de traduction. Affichage de la version anglaise.

Kerberos est le protocole d'authentification par défaut des domaines Windows. Il utilise des tickets pour vérifier l'identité des utilisateurs sans envoyer de mots de passe sur le réseau.

        graph LR
  Center["Kerberos"]:::main
  Pre_authentication["authentication"]:::pre --> Center
  click Pre_authentication "/terms/authentication"
  Pre_active_directory["active-directory"]:::pre --> Center
  click Pre_active_directory "/terms/active-directory"
  Rel_active_directory["active-directory"]:::related -.-> Center
  click Rel_active_directory "/terms/active-directory"
  classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
  classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
  classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
  classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
  linkStyle default stroke:#4b5563,stroke-width:2px;
🕸️ Open in Universe

🧒 Explique-moi comme si j'avais 5 ans

🎫 Kerberos is like a high-security theme park ticket system. Instead of showing your ID at every single ride, you show it once at the front gate to get a 'Master Ticket' (TGT). Then, you just show that Master Ticket to get 'Ride Coupons' (Service Tickets) for every ride you want to go on.

🤓 Expert Deep Dive

Kerberos relies on symmetric key cryptography and timestamps to prevent Replay Attacks. Every ticket has a limited lifetime and is encrypted using keys known only to the KDC and the target service. In a Windows environment, the KDC is integrated into the Domain Controller. One critical security consideration is the KRBTGT account, whose NTLM hash is used to sign all TGTs. If an attacker captures this hash, they can perform a Golden Ticket attack, allowing them to forge TGTs for any user and gain unlimited persistence. Modern hardening includes transitioning to Kerberos Armoring (FAST) and disabling older, weaker encryption types like RC4 in favor of AES-256.

🔗 Termes associés

Prérequis:

📚 Sources