Kerberos (ケルベロス)
Kerberosは、ネットワーク認証プロトコルであり、チケットを使用して、非セキュアなネットワークを介して通信するノードが互いの身元を安全に証明できるようにします。
KerberosはWindowsドメインの標準認証プロトコルです。チケットシステムを使用して、ネットワーク経由でパスワードを送信することなく、ユーザーの身元を確認します。
graph LR
Center["Kerberos (ケルベロス)"]:::main
Pre_authentication["authentication"]:::pre --> Center
click Pre_authentication "/terms/authentication"
Pre_active_directory["active-directory"]:::pre --> Center
click Pre_active_directory "/terms/active-directory"
Rel_active_directory["active-directory"]:::related -.-> Center
click Rel_active_directory "/terms/active-directory"
classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
linkStyle default stroke:#4b5563,stroke-width:2px;
🧒 5歳でもわかるように説明
🎫 Kerberos is like a high-security theme park ticket system. Instead of showing your ID at every single ride, you show it once at the front gate to get a 'Master Ticket' (TGT). Then, you just show that Master Ticket to get 'Ride Coupons' (Service Tickets) for every ride you want to go on.
🤓 Expert Deep Dive
Kerberos relies on symmetric key cryptography and timestamps to prevent Replay Attacks. Every ticket has a limited lifetime and is encrypted using keys known only to the KDC and the target service. In a Windows environment, the KDC is integrated into the Domain Controller. One critical security consideration is the KRBTGT account, whose NTLM hash is used to sign all TGTs. If an attacker captures this hash, they can perform a Golden Ticket attack, allowing them to forge TGTs for any user and gain unlimited persistence. Modern hardening includes transitioning to Kerberos Armoring (FAST) and disabling older, weaker encryption types like RC4 in favor of AES-256.