There are three types of Windows system identity authentication mechanisms: local, network, and intra-domain authentication.
(1) Local authentication: The user logs in to Windows locally on the device, and through the NTLM protocol (NT LAN Manager, a challenge/response authentication protocol), the system calculates the password entered by the user into an NTLM hash, and then compares it with SAM (Security Account Management) ) The user's password hash value in the database is compared for identity authentication.
(2) Network authentication: Users log in to windows remotely in a workgroup environment, and realize Net-NTLM Hash identity authentication (NTLM Hash + random number) through the random number challenge/response authentication mechanism.
(3) Intra-domain authentication: Log in to windows in the domain and use the Kerberos protocol. At this time, a trusted third party must be used as the KDC (Key Distribution Center) key distribution center.
For example, Windows 2000 fully integrates Kerberos V5, public key certificates and NTLM.
Kerberos is a network authentication protocol proposed by MIT. It is designed to provide strong authentication for client/server applications by using key encryption technology. Here is a brief introduction to its principles. For specific usage, please refer to Kerberos Authentication Overview | Microsoft Learn
As shown in the diagram above, the claimant and the verifier do not share the key, but they both share the key with the third-party trusted node (Kerberos authentication server).
In the first exchange, the claimant obtains the verifier's license ticket (Ticket) from the authentication server through a shared key, and the communication between them is protected by the shared key between them.
In the second exchange, the claimant sends the ticket to the verifier, which is protected with a shared key between the authentication server and the verifier, allowing the verifier to decrypt/verify.