Kerberos
Kerberos, güvenli olmayan bir ağ üzerinden iletişim kuran düğümlerin kimliklerini birbirlerine güvenli bir şekilde kanıtlamalarını sağlayan, bilet esasına dayalı bir bilgisayar ağı kimlik doğrulama protokolüdür.
Kerberos, Windows etki alanları için varsayılan kimlik doğrulama protokolüdür. Kullanıcı kimliğini ağ üzerinden parola göndermeden doğrulamak için bilet sistemini kullanır.
graph LR
Center["Kerberos"]:::main
Pre_authentication["authentication"]:::pre --> Center
click Pre_authentication "/terms/authentication"
Pre_active_directory["active-directory"]:::pre --> Center
click Pre_active_directory "/terms/active-directory"
Rel_active_directory["active-directory"]:::related -.-> Center
click Rel_active_directory "/terms/active-directory"
classDef main fill:#7c3aed,stroke:#8b5cf6,stroke-width:2px,color:white,font-weight:bold,rx:5,ry:5;
classDef pre fill:#0f172a,stroke:#3b82f6,color:#94a3b8,rx:5,ry:5;
classDef child fill:#0f172a,stroke:#10b981,color:#94a3b8,rx:5,ry:5;
classDef related fill:#0f172a,stroke:#8b5cf6,stroke-dasharray: 5 5,color:#94a3b8,rx:5,ry:5;
linkStyle default stroke:#4b5563,stroke-width:2px;
🧒 5 yaşındaki gibi açıkla
🎫 Kerberos is like a high-security theme park ticket system. Instead of showing your ID at every single ride, you show it once at the front gate to get a 'Master Ticket' (TGT). Then, you just show that Master Ticket to get 'Ride Coupons' (Service Tickets) for every ride you want to go on.
🤓 Expert Deep Dive
Kerberos relies on symmetric key cryptography and timestamps to prevent Replay Attacks. Every ticket has a limited lifetime and is encrypted using keys known only to the KDC and the target service. In a Windows environment, the KDC is integrated into the Domain Controller. One critical security consideration is the KRBTGT account, whose NTLM hash is used to sign all TGTs. If an attacker captures this hash, they can perform a Golden Ticket attack, allowing them to forge TGTs for any user and gain unlimited persistence. Modern hardening includes transitioning to Kerberos Armoring (FAST) and disabling older, weaker encryption types like RC4 in favor of AES-256.