Kerberos
O Kerberos é um protocolo de autenticação de rede de computadores que funciona com base em tickets para permitir que nós se comuniquem em uma rede não segura provem sua identidade um ao outro de maneira segura.
O Kerberos é o protocolo de autenticação padrão para domínios Windows. Ele usa um sistema de tickets para verificar a identidade do usuário sem enviar senhas pela rede.
graph LR
Center["Kerberos"]:::main
Pre_authentication["authentication"]:::pre --> Center
click Pre_authentication "/terms/authentication"
Pre_active_directory["active-directory"]:::pre --> Center
click Pre_active_directory "/terms/active-directory"
Rel_active_directory["active-directory"]:::related -.-> Center
click Rel_active_directory "/terms/active-directory"
classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
linkStyle default stroke:#4b5563,stroke-width:2px;
🧒 Explique como se eu tivesse 5 anos
🎫 Kerberos is like a high-security theme park ticket system. Instead of showing your ID at every single ride, you show it once at the front gate to get a 'Master Ticket' (TGT). Then, you just show that Master Ticket to get 'Ride Coupons' (Service Tickets) for every ride you want to go on.
🤓 Expert Deep Dive
Kerberos relies on symmetric key cryptography and timestamps to prevent Replay Attacks. Every ticket has a limited lifetime and is encrypted using keys known only to the KDC and the target service. In a Windows environment, the KDC is integrated into the Domain Controller. One critical security consideration is the KRBTGT account, whose NTLM hash is used to sign all TGTs. If an attacker captures this hash, they can perform a Golden Ticket attack, allowing them to forge TGTs for any user and gain unlimited persistence. Modern hardening includes transitioning to Kerberos Armoring (FAST) and disabling older, weaker encryption types like RC4 in favor of AES-256.