Article directory
First, you must know the meaning of the noun
| shorthand | meaning |
|---|---|
| DC | Domain Controller |
| KDC | Key Distribution Center |
| AD | Account Database Account Database |
| AS | Authentication Service |
| TGS | Ticket Granting Service Ticket Granting Service |
| TGT | Ticket Granting Ticket Granted by Ticket Center |
Second, the rough process
1. The client requests the kerberos service, hoping to obtain permission to access the server. When kerberos got this news, it must first determine whether the client is trustworthy, which can be understood as a black and white list. This is what the AS service does, distinguishing clients by storing blacklists and whitelists in AD . After success, AS returns TGT to client.
2. After the client obtains the TGT, it continues to request kerberos, hoping to obtain access and server permissions. Kerberos got the news again, the TGT in the emergency, judged that the client has this permission, and gave the client the permission ticket to access the server.
3. After the client gets the ticket, it can successfully access the server. This ticket is only for this server, other servers need to apply to TGS
3. Detailed process
1. The first step of domain authentication:
(1) First, the client (client) sends user information to the server, namely the KDC, including domain control information such as computer name, address, and TGS. After sending and going, KDC verifies whether the received computer name, address, and user name are in AD. If they are all in, it will send 2 and 3 to the client (as shown above).
(2) Authentication Service (AS): KDC goes to AD to find the corresponding hash to encrypt the SeesionKey according to the username sent by the client. This SeesionKey is randomly generated.
(3) TGT (ticket granted by the Ticket Granting Ticket Center): KDC encrypts the SeesionKey and client information through the NTMLhash corresponding to a specific user in the KDC. The SeesionKey here is the same as the previous step. After the encryption is completed, it is sent to the client.
The specific information sent by the server to the KDC:
The specific information returned by the KDC to the client:
2. The second step of domain authentication:
(1) The client continues to send information to the server, TGT (this is the TGT returned by the server to the client in the first step), decrypt the SeesionKey with the client Hash, and then encrypt the information with the SeesionKey: (client information, timestamp client client information), server information, client info, and send these information to the server.
(2) After the server receives the information, TGS does not have a SeesionKey, but the received TGT has a SeesionKey. TGS can decrypt the TGT with the KDC's Hash, and then use the SeesionKey in the obtained TGT to decrypt the information packaged by the SessionKey sent by the client. , check the timestamp after decryption. If the difference from the current time is too long, the authentication fails, which may be forged by the attacker. After success, compare the client information in this SessionKey with the client in the TGT returned to the client in the first step. Whether the client information is the same, after the authentication is passed, a data packet will be returned to the client. The content of the package is: encrypt the server SessionKey with the SessionKey just now (a random character randomly generated by KDC, which is used for the SessionKey of the communication between the client and the server, if not, it cannot be authenticated), the content of the ticket is the server information in the previous step, The KDC uses the computer name in the server information to extract the corresponding Hash (Server SessionKey) value from AD to encrypt the ticket.
3. The third step of domain authentication:
(1) The client cannot decrypt the Ticket, but the client has the Server SessionKey, which is used to encrypt the client information and timestamp and send it to the server.
(2) The server first decrypts the Ticket with its own Hash. The Ticket contains the Server SessionKey. The server uses the Server SessionKey to decrypt the received client information and timestamp, compare it with the information in the ticket, and determine whether the period time.
4. Summary
The essence of authentication is the exchange of secret keys, the use of symmetric encryption algorithms, and the verification of timestamps and identities.
