What is the verification card?
Verification ticket is a safety part of the Kerberos network security protocol. It acts as something like a token, a small collection of data passed between a client computer and a server so that these two computers can demonstrate identity. In addition to this identification of the mutual network, it describes in detail any authorization that the client has for access to the server and its services, as well as the time assigned to the session.
There are basically two types of verification leaves. The ticket for the ticket (TGT), also referred to as tickets for obtaining tickets, is the primary card issued by the client computer for the first time. This type of ticket usually lasts for a long time, more than 10 or more hours, and can be restored at any time during the period when the user is logged in to the network. With TGT, the user is able to apply for individual tickets to access other servers in the network.
The client-to-server ticket, also referred to as a session ticket, is the second form of the verification card. ThisThere is usually a short -term ticket that is distributed when the client wants to access the service on a particular server. The ticket to the session contains a network address of the client computer, the user information and the duration where the ticket is valid. In some Kerberos implementations, such as Microsoft's® Active Directory®, you can also use the third type of ticket, called a ticket on recommendation. This type of ticket is awarded when the client wants to access the server that is based on the domain separately from his own.
6 This machine has a run of two subplorence, the first of which is known as Authentication Server (AS). AS knows about all other computers and users in the network and maintains the database of its passwords. When the user logs in to the network, AS grants him TGT.The moment the user needs to access the server somewhere in the network, he uses previously a given TGT and requires a service card from the second part of the KDC called The Ticket Granturing Server (TGS). TGS sends a ticket to the session back to the user whoThe pipe can then use it to access the server he requested. When the server receives a session ticket, he sends another message back to the user who verifies his identity and that the user has access to the required service. In the case of a ticket on the recommendation, the next step is required, where instead of the home domain, the home domain creates a ticket for a recommendation that allows the client to request tickets from another KDC in another network domain. The whole process of generating and sharing tickets is encrypted at every step of the and way to protect from an attacker of eavesdropping or camouflage as a user.
The primary disadvantage of the verification method is the centralized structure of all authorization. If the attacker manages to access the KDC, he will basically get access to all user identities and hes and then can publish someone. Furthermore, if the KDC becomes available, no one could use the network. Another problem is detailed life cycles of tickets that require all computers in the network to be synchronizedy hours.