{"id":36483,"date":"2025-12-09T14:49:01","date_gmt":"2025-12-09T07:49:01","guid":{"rendered":"https:\/\/interdata.vn\/blog\/?p=36483"},"modified":"2025-12-09T14:49:30","modified_gmt":"2025-12-09T07:49:30","slug":"giao-thuc-kerberos-la-gi","status":"publish","type":"post","link":"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/","title":{"rendered":"Giao th\u1ee9c Kerberos l\u00e0 g\u00ec? C\u00e1ch ho\u1ea1t \u0111\u1ed9ng, \u01afu \u0111i\u1ec3m &#038; \u1ee8ng d\u1ee5ng"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">N\u1ed8I DUNG<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Giao-thuc-Kerberos-la-gi\" >Giao th\u1ee9c Kerberos l\u00e0 g\u00ec?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Lich-su-va-nguon-goc-cua-Kerberos\" >L\u1ecbch s\u1eed v\u00e0 ngu\u1ed3n g\u1ed1c c\u1ee7a Kerberos<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Kerberos-duoc-dung-de-lam-gi\" >Kerberos \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Co-che-hoat-dong-cua-giao-thuc-Kerberos\" >C\u01a1 ch\u1ebf ho\u1ea1t \u0111\u1ed9ng c\u1ee7a giao th\u1ee9c Kerberos<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Buoc-1-Xac-thuc-client\" >B\u01b0\u1edbc 1: X\u00e1c th\u1ef1c client<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Buoc-2-Xac-thuc-server\" >B\u01b0\u1edbc 2: X\u00e1c th\u1ef1c server<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Buoc-3-Truy-cap-tai-nguyen\" >B\u01b0\u1edbc 3: Truy c\u1eadp t\u00e0i nguy\u00ean<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#So-sanh-Kerberos-va-NTLM-Tai-sao-nen-dung-Kerberos\" >So s\u00e1nh Kerberos v\u00e0 NTLM: T\u1ea1i sao n\u00ean d\u00f9ng Kerberos?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Uu-va-Nhuoc-diem-cua-giao-thuc-Kerberos\" >\u01afu v\u00e0 Nh\u01b0\u1ee3c \u0111i\u1ec3m c\u1ee7a giao th\u1ee9c Kerberos<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Uu-diem\" >\u01afu \u0111i\u1ec3m<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Nhuoc-diem-Thach-thuc\" >Nh\u01b0\u1ee3c \u0111i\u1ec3m &amp; Th\u00e1ch th\u1ee9c<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Kerberos-co-the-bi-tan-cong-khong\" >Kerberos c\u00f3 th\u1ec3 b\u1ecb t\u1ea5n c\u00f4ng kh\u00f4ng?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Pass-the-Ticket\" >Pass the Ticket<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Tan-cong-Credential-Stuffing-hoac-Brute-Force\" >T\u1ea5n c\u00f4ng Credential Stuffing ho\u1eb7c Brute Force<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Ha-cap-ma-hoa-Encryption-Downgrade\" >H\u1ea1 c\u1ea5p m\u00e3 h\u00f3a (Encryption Downgrade)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Tan-cong-DC-Shadow\" >T\u1ea5n c\u00f4ng DC Shadow<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Ung-dung-cua-Kerberos-trong-thuc-te\" >\u1ee8ng d\u1ee5ng c\u1ee7a Kerberos trong th\u1ef1c t\u1ebf<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Kerberos-trong-he-dieu-hanh\" >Kerberos trong h\u1ec7 \u0111i\u1ec1u h\u00e0nh<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Kerberos-trong-ung-dung-may-chu\" >Kerberos trong \u1ee9ng d\u1ee5ng m\u00e1y ch\u1ee7<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Kerberos-trong-ung-dung-email\" >Kerberos trong \u1ee9ng d\u1ee5ng email<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Kerberos-trong-ung-dung-web\" >Kerberos trong \u1ee9ng d\u1ee5ng web<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Kerberos-trong-he-thong-luu-tru\" >Kerberos trong h\u1ec7 th\u1ed1ng l\u01b0u tr\u1eef<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Tuong-lai-cua-giao-thuc-Kerberos\" >T\u01b0\u01a1ng lai c\u1ee7a giao th\u1ee9c Kerberos<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Kerberos-co-an-toan-khong-Rui-ro-bao-mat-can-luu-y\" >Kerberos c\u00f3 an to\u00e0n kh\u00f4ng? R\u1ee7i ro b\u1ea3o m\u1eadt c\u1ea7n l\u01b0u \u00fd<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Kerberoasting\" >Kerberoasting<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Golden-Ticket-Attack\" >Golden Ticket Attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/#Cach-bao-ve-he-thong-Kerberos\" >C\u00e1ch b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng Kerberos<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<p>Trong c\u00e1c h\u1ec7 th\u1ed1ng doanh nghi\u1ec7p, vi\u1ec7c \u0111\u1ea3m b\u1ea3o ng\u01b0\u1eddi d\u00f9ng \u0111\u0103ng nh\u1eadp \u0111\u00fang danh t\u00ednh v\u00e0 d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c truy\u1ec1n \u0111i an to\u00e0n l\u00e0 y\u1ebfu t\u1ed1 s\u1ed1ng c\u00f2n. \u0110\u00e2y c\u0169ng l\u00e0 l\u00fd do giao th\u1ee9c Kerberos tr\u1edf th\u00e0nh l\u1ef1a ch\u1ecdn m\u1eb7c \u0111\u1ecbnh trong nhi\u1ec1u n\u1ec1n t\u1ea3ng hi\u1ec7n \u0111\u1ea1i, t\u1eeb Windows Server, Linux, \u0111\u1ebfn h\u1ec7 th\u1ed1ng Big Data nh\u01b0 Hadoop.<\/p>\n<p>V\u1eady <strong><a href=\"https:\/\/interdata.vn\/blog\/giao-thuc-kerberos-la-gi\/\">giao th\u1ee9c Kerberos l\u00e0 g\u00ec<\/a><\/strong>, t\u1ea1i sao n\u00f3 l\u1ea1i quan tr\u1ecdng v\u00e0 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i trong c\u00e1c m\u00f4 h\u00ecnh x\u00e1c th\u1ef1c m\u1ea1ng? T\u00ecm hi\u1ec3u c\u01a1 ch\u1ebf ho\u1ea1t \u0111\u1ed9ng, c\u00e1c th\u00e0nh ph\u1ea7n ch\u00ednh, \u01b0u \u2013 nh\u01b0\u1ee3c \u0111i\u1ec3m v\u00e0 c\u00e1ch Kerberos \u0111\u01b0\u1ee3c tri\u1ec3n khai trong th\u1ef1c t\u1ebf.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Giao-thuc-Kerberos-la-gi\"><\/span>Giao th\u1ee9c Kerberos l\u00e0 g\u00ec?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Giao th\u1ee9c Kerberos<\/strong> l\u00e0 m\u1ed9t giao th\u1ee9c x\u00e1c th\u1ef1c m\u1ea1ng \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 cung c\u1ea5p kh\u1ea3 n\u0103ng x\u00e1c th\u1ef1c m\u1ea1nh m\u1ebd cho c\u00e1c \u1ee9ng d\u1ee5ng client\/server b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng m\u1eadt m\u00e3 kh\u00f3a b\u00ed m\u1eadt (secret-key cryptography).<\/p>\n<p>Kh\u00e1c v\u1edbi c\u00e1c ph\u01b0\u01a1ng th\u1ee9c x\u00e1c th\u1ef1c truy\u1ec1n th\u1ed1ng g\u1eedi m\u1eadt kh\u1ea9u qua m\u1ea1ng (d\u00f9 c\u00f3 m\u00e3 h\u00f3a hay kh\u00f4ng), Kerberos ho\u1ea1t \u0111\u1ed9ng d\u1ef1a tr\u00ean c\u01a1 ch\u1ebf &#8220;v\u00e9&#8221; (ticket). H\u00e3y t\u01b0\u1edfng t\u01b0\u1ee3ng b\u1ea1n \u0111i xem phim: B\u1ea1n kh\u00f4ng \u0111\u01b0a ti\u1ec1n tr\u1ef1c ti\u1ebfp cho ng\u01b0\u1eddi so\u00e1t v\u00e9 \u1edf c\u1eeda r\u1ea1p. Thay v\u00e0o \u0111\u00f3, b\u1ea1n mua v\u00e9 t\u1ea1i qu\u1ea7y (x\u00e1c th\u1ef1c danh t\u00ednh v\u00e0 quy\u1ec1n h\u1ea1n), sau \u0111\u00f3 d\u00f9ng t\u1ea5m v\u00e9 n\u00e0y \u0111\u1ec3 \u0111i qua c\u1eeda ki\u1ec3m so\u00e1t.<\/p>\n<figure id=\"attachment_36497\" aria-describedby=\"caption-attachment-36497\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-36497\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Giao-thuc-Kerberos-la-gi.jpg\" alt=\"Giao th\u1ee9c Kerberos l\u00e0 g\u00ec\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Giao-thuc-Kerberos-la-gi.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Giao-thuc-Kerberos-la-gi-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Giao-thuc-Kerberos-la-gi-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-36497\" class=\"wp-caption-text\">Giao th\u1ee9c Kerberos l\u00e0 g\u00ec?<\/figcaption><\/figure>\n<p>Kerberos c\u0169ng ho\u1ea1t \u0111\u1ed9ng theo nguy\u00ean l\u00fd t\u01b0\u01a1ng t\u1ef1 \u0111\u1ec3 h\u1ea1n ch\u1ebf t\u1ed1i \u0111a vi\u1ec7c g\u1eedi m\u1eadt kh\u1ea9u g\u1ed1c qua \u0111\u01b0\u1eddng truy\u1ec1n m\u1ea1ng, t\u1eeb \u0111\u00f3 ng\u0103n ch\u1eb7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng nghe l\u00e9n (sniffing).<\/p>\n<p>V\u1ec1 m\u1eb7t k\u1ef9 thu\u1eadt,giao th\u1ee9 Kerberos l\u00e0 m\u1ed9t h\u1ec7 th\u1ed1ng d\u1ef1a tr\u00ean b\u00ean th\u1ee9 ba tin c\u1eady (Trusted Third Party), ngh\u0129a l\u00e0 c\u1ea3 m\u00e1y kh\u00e1ch (Client) v\u00e0 m\u00e1y ch\u1ee7 (Server) \u0111\u1ec1u tin t\u01b0\u1edfng v\u00e0o m\u1ed9t trung t\u00e2m trung gian \u0111\u1ec3 x\u00e1c minh danh t\u00ednh c\u1ee7a nhau.<\/p>\n<p>\u0110\u1ec3 hi\u1ec3u s\u00e2u h\u01a1n v\u1ec1 \u0111\u1ecbnh ngh\u0129a <strong>giao th\u1ee9c x\u00e1c th\u1ef1c m\u1ea1ng Kerberos<\/strong>, ch\u00fang ta c\u1ea7n n\u1eafm v\u1eefng ba th\u00e0nh ph\u1ea7n c\u1ed1t l\u00f5i t\u1ea1o n\u00ean &#8220;b\u1ed9 ba&#8221; quy\u1ec1n l\u1ef1c n\u00e0y:<\/p>\n<ol>\n<li><strong>Client:<\/strong> Ng\u01b0\u1eddi d\u00f9ng ho\u1eb7c d\u1ecbch v\u1ee5 thay m\u1eb7t ng\u01b0\u1eddi d\u00f9ng g\u1eedi y\u00eau c\u1ea7u truy c\u1eadp.<\/li>\n<li><strong>Server:<\/strong> M\u00e1y ch\u1ee7 ch\u1ee9a t\u00e0i nguy\u00ean c\u1ea7n truy c\u1eadp (nh\u01b0 File Server, Web Server).<\/li>\n<li><strong>KDC (Key Distribution Center):<\/strong> Trung t\u00e2m ph\u00e2n ph\u1ed1i kh\u00f3a. \u0110\u00e2y ch\u00ednh l\u00e0 &#8220;b\u00ean th\u1ee9 ba tin c\u1eady&#8221;. KDC th\u01b0\u1eddng \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t tr\u00ean Domain Controller trong m\u00f4i tr\u01b0\u1eddng Windows. KDC bao g\u1ed3m hai d\u1ecbch v\u1ee5 con:\n<ul>\n<li><strong>AS (Authentication Service):<\/strong> D\u1ecbch v\u1ee5 x\u00e1c th\u1ef1c, ch\u1ecbu tr\u00e1ch nhi\u1ec7m c\u1ea5p v\u00e9 TGT (Ticket-Granting Ticket).<\/li>\n<li><strong>TGS (Ticket-Granting Service):<\/strong> D\u1ecbch v\u1ee5 c\u1ea5p v\u00e9, ch\u1ecbu tr\u00e1ch nhi\u1ec7m c\u1ea5p v\u00e9 d\u1ecbch v\u1ee5 (Service Ticket) \u0111\u1ec3 truy c\u1eadp t\u00e0i nguy\u00ean c\u1ee5 th\u1ec3.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>Nguy\u00ean l\u00fd c\u1ed1t l\u00f5i c\u1ee7a Kerberos d\u1ef1a tr\u00ean <strong>m\u00e3 h\u00f3a \u0111\u1ed1i x\u1ee9ng (Symmetric-key cryptography)<\/strong>. \u0110i\u1ec1u n\u00e0y c\u00f3 ngh\u0129a l\u00e0 c\u00f9ng m\u1ed9t kh\u00f3a \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng cho c\u1ea3 qu\u00e1 tr\u00ecnh m\u00e3 h\u00f3a v\u00e0 gi\u1ea3i m\u00e3. H\u1ec7 th\u1ed1ng Kerberos chia s\u1ebb m\u1ed9t kh\u00f3a b\u00ed m\u1eadt kh\u00e1c nhau v\u1edbi m\u1ed7i th\u1ef1c th\u1ec3 trong m\u1ea1ng. Ki\u1ebfn th\u1ee9c v\u1ec1 m\u00e3 h\u00f3a \u0111\u1ed1i x\u1ee9ng l\u00e0 n\u1ec1n t\u1ea3ng \u0111\u1ec3 hi\u1ec3u v\u1ec1 <strong>Giao th\u1ee9c Kerberos<\/strong>\u00a0m\u1ed9t c\u00e1ch th\u1ea5u \u0111\u00e1o nh\u1ea5t.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Lich-su-va-nguon-goc-cua-Kerberos\"><\/span>L\u1ecbch s\u1eed v\u00e0 ngu\u1ed3n g\u1ed1c c\u1ee7a Kerberos<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>T\u00ean g\u1ecdi &#8220;Kerberos&#8221; \u0111\u01b0\u1ee3c l\u1ea5y c\u1ea3m h\u1ee9ng t\u1eeb th\u1ea7n tho\u1ea1i Hy L\u1ea1p. \u0110\u00f3 l\u00e0 t\u00ean c\u1ee7a Cerberus &#8211; con ch\u00f3 ba \u0111\u1ea7u hung d\u1eef canh gi\u1eef c\u1ed5ng \u0111\u1ecba ng\u1ee5c. H\u00ecnh \u1ea3nh ba chi\u1ebfc \u0111\u1ea7u t\u01b0\u1ee3ng tr\u01b0ng cho ba th\u00e0nh ph\u1ea7n kh\u00f4ng th\u1ec3 t\u00e1ch r\u1eddi c\u1ee7a giao th\u1ee9c: Client, Server v\u00e0 KDC.<\/p>\n<p><strong>L\u1ecbch s\u1eed Kerberos<\/strong> b\u1eaft \u0111\u1ea7u t\u1ea1i H\u1ecdc vi\u1ec7n C\u00f4ng ngh\u1ec7 Massachusetts (MIT) v\u00e0o nh\u1eefng n\u0103m 1980. \u0110\u00e2y l\u00e0 m\u1ed9t ph\u1ea7n c\u1ee7a d\u1ef1 \u00e1n Athena &#8211; m\u1ed9t s\u00e1ng ki\u1ebfn nh\u1eb1m t\u1ea1o ra m\u00f4i tr\u01b0\u1eddng \u0111i\u1ec7n to\u00e1n ph\u00e2n t\u00e1n cho m\u1ee5c \u0111\u00edch gi\u00e1o d\u1ee5c.<\/p>\n<p>M\u1ee5c ti\u00eau ban \u0111\u1ea7u c\u1ee7a <strong>Kerberos MIT<\/strong> l\u00e0 b\u1ea3o v\u1ec7 c\u00e1c m\u00e1y tr\u1ea1m (workstation) trong m\u1ea1ng tr\u01b0\u1eddng \u0111\u1ea1i h\u1ecdc kh\u1ecfi s\u1ef1 d\u00f2m ng\u00f3 v\u00e0 t\u1ea5n c\u00f4ng t\u1eeb nh\u1eefng ng\u01b0\u1eddi d\u00f9ng t\u00f2 m\u00f2 ho\u1eb7c c\u00f3 \u00fd \u0111\u1ed3 x\u1ea5u.<\/p>\n<ul>\n<li><strong>Kerberos Version 4:<\/strong> Phi\u00ean b\u1ea3n \u0111\u1ea7u ti\u00ean \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 r\u1ed9ng r\u00e3i ra b\u00ean ngo\u00e0i MIT v\u00e0o cu\u1ed1i nh\u1eefng n\u0103m 80. Tuy nhi\u00ean, phi\u00ean b\u1ea3n n\u00e0y ch\u1ee7 y\u1ebfu ph\u1ee5c v\u1ee5 cho m\u1ee5c \u0111\u00edch nghi\u00ean c\u1ee9u v\u00e0 c\u00f2n t\u1ed3n t\u1ea1i m\u1ed9t s\u1ed1 h\u1ea1n ch\u1ebf v\u1ec1 k\u1ef9 thu\u1eadt.<\/li>\n<li><strong>Kerberos Version 5:<\/strong> \u0110\u01b0\u1ee3c chu\u1ea9n h\u00f3a trong RFC 1510 (sau \u0111\u00f3 l\u00e0 RFC 4120 v\u00e0 RFC 4121). \u0110\u00e2y l\u00e0 phi\u00ean b\u1ea3n kh\u1eafc ph\u1ee5c c\u00e1c l\u1ed7i b\u1ea3o m\u1eadt c\u1ee7a V4 v\u00e0 tr\u1edf th\u00e0nh ti\u00eau chu\u1ea9n c\u00f4ng nghi\u1ec7p hi\u1ec7n nay.<\/li>\n<\/ul>\n<p>S\u1ef1 ph\u1ed5 bi\u1ebfn c\u1ee7a Kerberos b\u00f9ng n\u1ed5 khi Microsoft quy\u1ebft \u0111\u1ecbnh ch\u1ecdn n\u00f3 l\u00e0m giao th\u1ee9c x\u00e1c th\u1ef1c m\u1eb7c \u0111\u1ecbnh cho Windows 2000 v\u00e0 c\u00e1c phi\u00ean b\u1ea3n Windows Server sau n\u00e0y (thay th\u1ebf cho NTLM). Ng\u00e0y nay, kh\u00f4ng ch\u1ec9 Windows, m\u00e0 c\u1ea3 c\u00e1c h\u1ec7 \u0111i\u1ec1u h\u00e0nh nh\u01b0 Linux, Unix, macOS v\u00e0 c\u00e1c h\u1ec7 th\u1ed1ng Big Data nh\u01b0 Hadoop \u0111\u1ec1u s\u1eed d\u1ee5ng Kerberos nh\u01b0 m\u1ed9t x\u01b0\u01a1ng s\u1ed1ng b\u1ea3o m\u1eadt.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Kerberos-duoc-dung-de-lam-gi\"><\/span>Kerberos \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Khi t\u00ecm hi\u1ec3u <strong>Giao th\u1ee9c Kerberos l\u00e0 g\u00ec<\/strong>, nhi\u1ec1u ng\u01b0\u1eddi th\u01b0\u1eddng nh\u1ea7m l\u1eabn gi\u1eefa x\u00e1c th\u1ef1c (Authentication) v\u00e0 ph\u00e2n quy\u1ec1n (Authorization). Kerberos ch\u1ee7 y\u1ebfu gi\u1ea3i quy\u1ebft b\u00e0i to\u00e1n <strong>x\u00e1c th\u1ef1c<\/strong>.<\/p>\n<p><strong>Kerberos d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec<\/strong> c\u1ee5 th\u1ec3 trong h\u1ec7 th\u1ed1ng m\u1ea1ng?<\/p>\n<ol>\n<li><strong>X\u00e1c th\u1ef1c l\u1eabn nhau (Mutual Authentication):<\/strong> \u0110\u00e2y l\u00e0 t\u00ednh n\u0103ng quan tr\u1ecdng nh\u1ea5t. Kh\u00f4ng ch\u1ec9 Server x\u00e1c minh danh t\u00ednh c\u1ee7a Client, m\u00e0 Client c\u0169ng x\u00e1c minh \u0111\u01b0\u1ee3c r\u1eb1ng m\u00ecnh \u0111ang k\u1ebft n\u1ed1i \u0111\u1ebfn \u0111\u00fang Server th\u1eadt ch\u1ee9 kh\u00f4ng ph\u1ea3i m\u1ed9t m\u00e1y ch\u1ee7 gi\u1ea3 m\u1ea1o (Phishing Server).<\/li>\n<li><strong>\u1ee6y quy\u1ec1n an to\u00e0n:<\/strong> Kerberos cho ph\u00e9p c\u00e1c d\u1ecbch v\u1ee5 thay m\u1eb7t ng\u01b0\u1eddi d\u00f9ng truy c\u1eadp v\u00e0o c\u00e1c d\u1ecbch v\u1ee5 kh\u00e1c m\u1ed9t c\u00e1ch an to\u00e0n th\u00f4ng qua c\u01a1 ch\u1ebf v\u00e9. V\u00ed d\u1ee5: M\u1ed9t Web Server truy c\u1eadp v\u00e0o Database Server thay m\u1eb7t cho ng\u01b0\u1eddi d\u00f9ng cu\u1ed1i.<\/li>\n<li><strong>Single Sign-On (SSO):<\/strong> Nh\u1edd c\u01a1 ch\u1ebf Ticket-Granting Ticket (TGT), ng\u01b0\u1eddi d\u00f9ng ch\u1ec9 c\u1ea7n \u0111\u0103ng nh\u1eadp m\u1ed9t l\u1ea7n v\u00e0 c\u00f3 th\u1ec3 truy c\u1eadp nhi\u1ec1u t\u00e0i nguy\u00ean kh\u00e1c nhau trong kho\u1ea3ng th\u1eddi gian v\u00e9 c\u00f2n hi\u1ec7u l\u1ef1c (th\u01b0\u1eddng l\u00e0 8-10 ti\u1ebfng) m\u00e0 kh\u00f4ng c\u1ea7n nh\u1eadp l\u1ea1i m\u1eadt kh\u1ea9u.<\/li>\n<\/ol>\n<p>C\u00e1c <strong>\u1ee9ng d\u1ee5ng giao th\u1ee9c x\u00e1c th\u1ef1c m\u1ea1ng Kerberos<\/strong> ph\u1ed5 bi\u1ebfn bao g\u1ed3m x\u00e1c th\u1ef1c \u0111\u0103ng nh\u1eadp m\u00e1y t\u00ednh (Windows Logon), truy c\u1eadp chia s\u1ebb t\u1ec7p tin (SMB), in \u1ea5n qua m\u1ea1ng, x\u00e1c th\u1ef1c email (Exchange), v\u00e0 x\u00e1c th\u1ef1c web (IIS\/Apache).<\/p>\n<figure id=\"attachment_36498\" aria-describedby=\"caption-attachment-36498\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-36498\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Kerberos-duoc-dung-de-lam-gi.png\" alt=\"Kerberos \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec?\" width=\"800\" height=\"576\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Kerberos-duoc-dung-de-lam-gi.png 905w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Kerberos-duoc-dung-de-lam-gi-300x216.png 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Kerberos-duoc-dung-de-lam-gi-768x553.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-36498\" class=\"wp-caption-text\">Kerberos \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec?<\/figcaption><\/figure>\n<h2><span class=\"ez-toc-section\" id=\"Co-che-hoat-dong-cua-giao-thuc-Kerberos\"><\/span>C\u01a1 ch\u1ebf ho\u1ea1t \u0111\u1ed9ng c\u1ee7a giao th\u1ee9c Kerberos<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kerberos v\u1eadn h\u00e0nh d\u1ef1a tr\u00ean m\u00f4 h\u00ecnh client\u2013server, v\u1edbi ba th\u00e0nh ph\u1ea7n ch\u00ednh g\u1ed3m:<\/p>\n<ul>\n<li><strong>Client<\/strong>: ng\u01b0\u1eddi d\u00f9ng y\u00eau c\u1ea7u truy c\u1eadp t\u00e0i nguy\u00ean<\/li>\n<li><strong>Server<\/strong>: m\u00e1y ch\u1ee7 ch\u1ee9a t\u00e0i nguy\u00ean c\u1ea7n truy c\u1eadp<\/li>\n<li><strong>Kerberos Authentication Server (KDC)<\/strong>: h\u1ec7 th\u1ed1ng qu\u1ea3n l\u00fd x\u00e1c th\u1ef1c<\/li>\n<\/ul>\n<p>To\u00e0n b\u1ed9 qu\u00e1 tr\u00ecnh x\u00e1c th\u1ef1c di\u1ec5n ra theo ba b\u01b0\u1edbc sau:<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Buoc-1-Xac-thuc-client\"><\/span>B\u01b0\u1edbc 1: X\u00e1c th\u1ef1c client<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Khi c\u1ea7n truy c\u1eadp t\u00e0i nguy\u00ean, client g\u1eedi y\u00eau c\u1ea7u \u0111\u1ebfn KDC \u0111\u1ec3 b\u1eaft \u0111\u1ea7u qu\u00e1 tr\u00ecnh x\u00e1c th\u1ef1c. KDC s\u1ebd y\u00eau c\u1ea7u client cung c\u1ea5p th\u00f4ng tin \u0111\u0103ng nh\u1eadp nh\u01b0 t\u00ean ng\u01b0\u1eddi d\u00f9ng v\u00e0 m\u1eadt kh\u1ea9u.<\/p>\n<p>Sau khi ki\u1ec3m tra th\u00e0nh c\u00f4ng, KDC c\u1ea5p cho client <strong>Ticket Granting Ticket (TGT)<\/strong> c\u00f9ng m\u1ed9t <strong>session key<\/strong>.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Buoc-2-Xac-thuc-server\"><\/span>B\u01b0\u1edbc 2: X\u00e1c th\u1ef1c server<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Client g\u1eedi y\u00eau c\u1ea7u truy c\u1eadp t\u00e0i nguy\u00ean \u0111\u1ebfn server, \u0111\u1ed3ng th\u1eddi g\u1eedi k\u00e8m TGT v\u00e0 session key. Server chuy\u1ec3n TGT \u0111\u1ebfn KDC \u0111\u1ec3 x\u00e1c th\u1ef1c, sau \u0111\u00f3 nh\u1eadn v\u1ec1 <strong>service ticket<\/strong> v\u00e0 m\u1ed9t session key \u0111\u00e3 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a b\u1eb1ng session key c\u1ee7a TGT.<\/p>\n<p>Server ti\u1ebfp t\u1ee5c gi\u1ea3i m\u00e3 service ticket v\u00e0 session key b\u1eb1ng session key c\u1ee7a TGT \u0111\u1ec3 x\u00e1c minh quy\u1ec1n truy c\u1eadp c\u1ee7a client.<\/p>\n<figure id=\"attachment_36499\" aria-describedby=\"caption-attachment-36499\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-36499\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Co-che-hoat-dong-cua-giao-thuc-Kerberos.jpg\" alt=\"C\u01a1 ch\u1ebf ho\u1ea1t \u0111\u1ed9ng c\u1ee7a giao th\u1ee9c Kerberos\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Co-che-hoat-dong-cua-giao-thuc-Kerberos.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Co-che-hoat-dong-cua-giao-thuc-Kerberos-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Co-che-hoat-dong-cua-giao-thuc-Kerberos-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-36499\" class=\"wp-caption-text\">C\u01a1 ch\u1ebf ho\u1ea1t \u0111\u1ed9ng c\u1ee7a giao th\u1ee9c Kerberos<\/figcaption><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"Buoc-3-Truy-cap-tai-nguyen\"><\/span>B\u01b0\u1edbc 3: Truy c\u1eadp t\u00e0i nguy\u00ean<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Khi server x\u00e1c th\u1ef1c th\u00e0nh c\u00f4ng, client \u0111\u01b0\u1ee3c ph\u00e9p truy c\u1eadp t\u00e0i nguy\u00ean. M\u1ed9t session key m\u1edbi s\u1ebd \u0111\u01b0\u1ee3c t\u1ea1o \u0111\u1ec3 s\u1eed d\u1ee5ng trong su\u1ed1t phi\u00ean l\u00e0m vi\u1ec7c.<\/p>\n<p>C\u00e1c session key trong Kerberos ch\u1ec9 c\u00f3 hi\u1ec7u l\u1ef1c m\u1ed9t l\u1ea7n v\u00e0 b\u1ecb x\u00f3a khi phi\u00ean k\u1ebft th\u00fac, gi\u00fap \u0111\u1ea3m b\u1ea3o an to\u00e0n, gi\u1ea3m nguy c\u01a1 b\u1ecb t\u1ea5n c\u00f4ng nh\u01b0 sniffing hay replay attack.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"So-sanh-Kerberos-va-NTLM-Tai-sao-nen-dung-Kerberos\"><\/span>So s\u00e1nh Kerberos v\u00e0 NTLM: T\u1ea1i sao n\u00ean d\u00f9ng Kerberos?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u0110\u1ec3 hi\u1ec3u r\u00f5 gi\u00e1 tr\u1ecb c\u1ee7a Kerberos, ch\u00fang ta c\u1ea7n \u0111\u1eb7t n\u00f3 l\u00ean b\u00e0n c\u00e2n so s\u00e1nh v\u1edbi &#8220;ng\u01b0\u1eddi ti\u1ec1n nhi\u1ec7m&#8221; l\u00e0 NTLM (New Technology LAN Manager). NTLM l\u00e0 giao th\u1ee9c x\u00e1c th\u1ef1c c\u0169 c\u1ee7a Microsoft. D\u00f9 v\u1eabn c\u00f2n t\u1ed3n t\u1ea1i \u0111\u1ec3 t\u01b0\u01a1ng th\u00edch ng\u01b0\u1ee3c, NTLM hi\u1ec7n \u0111\u01b0\u1ee3c xem l\u00e0 k\u00e9m an to\u00e0n v\u00e0 ch\u1eadm h\u01a1n Kerberos.<\/p>\n<p>D\u01b0\u1edbi \u0111\u00e2y l\u00e0 b\u1ea3ng\u00a0so s\u00e1nh Kerberos v\u00e0 NTLM\u00a0chi ti\u1ebft gi\u00fap c\u00e1c k\u1ef9 s\u01b0 h\u1ec7 th\u1ed1ng t\u1ea1i\u00a0InterData\u00a0v\u00e0 \u0111\u1ed9c gi\u1ea3 d\u1ec5 d\u00e0ng h\u00ecnh dung:<br \/>\n<!-- B\u1ea3ng so s\u00e1nh Kerberos vs NTLM \u2014 ch\u00e8n v\u00e0o b\u00e0i vi\u1ebft WordPress --><\/p>\n<div style=\"overflow-x: auto; -webkit-overflow-scrolling: touch; padding: 8px; background: transparent;\">\n<table style=\"width: 100%; max-width: 100%; border-collapse: separate; border-spacing: 0; font-family: Inter, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;\">\n<thead>\n<tr>\n<th style=\"padding: 14px 16px; font-size: 15px; color: #ffffff; background: linear-gradient(90deg, #0c40f4 0%, #077ffa 50%, #0497fc 100%); border-top-left-radius: 8px; border-bottom-left-radius: 0px; text-align: center;\">Ti\u00eau ch\u00ed<\/th>\n<th style=\"padding: 14px 16px; font-size: 15px; color: #ffffff; background: linear-gradient(90deg, #0c40f4 0%, #077ffa 50%, #0497fc 100%); text-align: center;\">Giao th\u1ee9c Kerberos<\/th>\n<th style=\"padding: 14px 16px; font-size: 15px; color: #ffffff; background: linear-gradient(90deg, #0c40f4 0%, #077ffa 50%, #0497fc 100%); border-top-right-radius: 8px; text-align: center;\">Giao th\u1ee9c NTLM<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"background: #ffffff;\">\n<td style=\"padding: 12px 16px; vertical-align: top; border-top: 1px solid rgba(12,64,244,0.08); font-weight: 600;\">C\u01a1 ch\u1ebf x\u00e1c th\u1ef1c<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top; border-top: 1px solid rgba(12,64,244,0.04);\">D\u1ef1a tr\u00ean v\u00e9 (Ticket-based) v\u00e0 b\u00ean th\u1ee9 ba tin c\u1eady (KDC).<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top; border-top: 1px solid rgba(12,64,244,0.04);\">D\u1ef1a tr\u00ean c\u01a1 ch\u1ebf Th\u00e1ch th\u1ee9c\/Ph\u1ea3n h\u1ed3i (Challenge\/Response).<\/td>\n<\/tr>\n<tr style=\"background: linear-gradient(180deg, rgba(4,151,252,0.03), rgba(4,151,252,0.00));\">\n<td style=\"padding: 12px 16px; vertical-align: top; font-weight: 600;\">X\u00e1c th\u1ef1c 2 chi\u1ec1u<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">C\u00f3 (Mutual Authentication). Client v\u00e0 Server \u0111\u1ec1u x\u00e1c minh nhau.<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">Kh\u00f4ng. Ch\u1ec9 Server x\u00e1c minh Client. Client kh\u00f4ng bi\u1ebft Server l\u00e0 th\u1eadt hay gi\u1ea3.<\/td>\n<\/tr>\n<tr style=\"background: #ffffff;\">\n<td style=\"padding: 12px 16px; vertical-align: top; font-weight: 600;\">M\u00e3 h\u00f3a<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">S\u1eed d\u1ee5ng m\u00e3 h\u00f3a \u0111\u1ed1i x\u1ee9ng m\u1ea1nh m\u1ebd (AES, HMAC&#8230;).<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">S\u1eed d\u1ee5ng h\u00e0m b\u0103m (Hashing) y\u1ebfu h\u01a1n, d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng.<\/td>\n<\/tr>\n<tr style=\"background: linear-gradient(180deg, rgba(4,151,252,0.03), rgba(4,151,252,0.00));\">\n<td style=\"padding: 12px 16px; vertical-align: top; font-weight: 600;\">Qu\u1ea3n l\u00fd m\u1eadt kh\u1ea9u<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">M\u1eadt kh\u1ea9u kh\u00f4ng bao gi\u1edd g\u1eedi qua m\u1ea1ng.<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">Hash c\u1ee7a m\u1eadt kh\u1ea9u \u0111\u01b0\u1ee3c g\u1eedi \u0111i (d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng Pass-the-Hash).<\/td>\n<\/tr>\n<tr style=\"background: #ffffff;\">\n<td style=\"padding: 12px 16px; vertical-align: top; font-weight: 600;\">Hi\u1ec7u su\u1ea5t<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">Nhanh h\u01a1n. X\u00e1c th\u1ef1c di\u1ec5n ra ch\u1ee7 y\u1ebfu v\u1edbi KDC, Server ch\u1ec9 gi\u1ea3i m\u00e3 v\u00e9.<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">Ch\u1eadm h\u01a1n. Y\u00eau c\u1ea7u b\u1eaft tay 3 b\u01b0\u1edbc (3-way handshake) t\u1ed1n b\u0103ng th\u00f4ng.<\/td>\n<\/tr>\n<tr style=\"background: linear-gradient(180deg, rgba(4,151,252,0.03), rgba(4,151,252,0.00));\">\n<td style=\"padding: 12px 16px; vertical-align: top; font-weight: 600;\">M\u00f4i tr\u01b0\u1eddng<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">M\u1ea1ng m\u1edf, Internet, y\u00eau c\u1ea7u th\u1eddi gian \u0111\u1ed3ng b\u1ed9.<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">M\u1ea1ng n\u1ed9i b\u1ed9 (LAN), ho\u1ea1t \u0111\u1ed9ng t\u1ed1t k\u1ec3 c\u1ea3 khi kh\u00f4ng c\u00f3 KDC.<\/td>\n<\/tr>\n<tr style=\"background: #ffffff;\">\n<td style=\"padding: 12px 16px; vertical-align: top; font-weight: 600;\">C\u1ed5ng ho\u1ea1t \u0111\u1ed9ng<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">Port 88 (TCP\/UDP).<\/td>\n<td style=\"padding: 12px 16px; vertical-align: top;\">C\u00e1c c\u1ed5ng ng\u1eabu nhi\u00ean (Dynamic Ports).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p><strong>\u01afu \u0111i\u1ec3m Kerberos<\/strong> v\u01b0\u1ee3t tr\u1ed9i h\u01a1n h\u1eb3n NTLM v\u1ec1 m\u1eb7t b\u1ea3o m\u1eadt. Trong NTLM, n\u1ebfu m\u1ed9t k\u1ebb t\u1ea5n c\u00f4ng ch\u1eb7n \u0111\u01b0\u1ee3c g\u00f3i tin x\u00e1c th\u1ef1c, ch\u00fang c\u00f3 th\u1ec3 th\u1ef1c hi\u1ec7n t\u1ea5n c\u00f4ng Pass-the-Hash \u0111\u1ec3 m\u1ea1o danh ng\u01b0\u1eddi d\u00f9ng m\u00e0 kh\u00f4ng c\u1ea7n bi\u1ebft m\u1eadt kh\u1ea9u g\u1ed1c. V\u1edbi Kerberos, vi\u1ec7c n\u00e0y kh\u00f3 kh\u0103n h\u01a1n r\u1ea5t nhi\u1ec1u do c\u00e1c v\u00e9 \u0111\u1ec1u c\u00f3 th\u1eddi h\u1ea1n (timestamp) v\u00e0 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a b\u1eb1ng kh\u00f3a phi\u00ean (Session Key).<\/p>\n<p>V\u00ec v\u1eady, c\u00e2u tr\u1ea3 l\u1eddi cho <strong>Kerberos vs NTLM<\/strong> lu\u00f4n l\u00e0: H\u00e3y \u01b0u ti\u00ean s\u1eed d\u1ee5ng Kerberos b\u1ea5t c\u1ee9 khi n\u00e0o c\u00f3 th\u1ec3. NTLM ch\u1ec9 n\u00ean l\u00e0 ph\u01b0\u01a1ng \u00e1n d\u1ef1 ph\u00f2ng (fallback) cho c\u00e1c h\u1ec7 th\u1ed1ng qu\u00e1 c\u0169 (Legacy systems) kh\u00f4ng h\u1ed7 tr\u1ee3 chu\u1ea9n m\u1edbi.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Uu-va-Nhuoc-diem-cua-giao-thuc-Kerberos\"><\/span>\u01afu v\u00e0 Nh\u01b0\u1ee3c \u0111i\u1ec3m c\u1ee7a giao th\u1ee9c Kerberos<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>B\u1ea5t k\u1ef3 c\u00f4ng ngh\u1ec7 n\u00e0o c\u0169ng c\u00f3 hai m\u1eb7t. Hi\u1ec3u r\u00f5 <strong>Giao th\u1ee9c Kerberos l\u00e0 g\u00ec<\/strong> \u0111\u1ed3ng ngh\u0129a v\u1edbi vi\u1ec7c b\u1ea1n ph\u1ea3i n\u1eafm \u0111\u01b0\u1ee3c c\u1ea3 \u0111i\u1ec3m m\u1ea1nh v\u00e0 \u0111i\u1ec3m y\u1ebfu c\u1ee7a n\u00f3 \u0111\u1ec3 thi\u1ebft k\u1ebf h\u1ec7 th\u1ed1ng ph\u00f9 h\u1ee3p.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Uu-diem\"><\/span>\u01afu \u0111i\u1ec3m<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong>B\u1ea3o m\u1eadt c\u1ea5p cao:<\/strong> Nh\u01b0 \u0111\u00e3 ph\u00e2n t\u00edch, Kerberos s\u1eed d\u1ee5ng m\u00e3 h\u00f3a m\u1ea1nh v\u00e0 kh\u00f4ng bao gi\u1edd truy\u1ec1n m\u1eadt kh\u1ea9u d\u01b0\u1edbi d\u1ea1ng v\u0103n b\u1ea3n thu\u1ea7n (clear text). K\u1ebb t\u1ea5n c\u00f4ng nghe l\u00e9n \u0111\u01b0\u1eddng truy\u1ec1n s\u1ebd ch\u1ec9 nh\u1eadn \u0111\u01b0\u1ee3c c\u00e1c g\u00f3i tin m\u00e3 h\u00f3a v\u00f4 ngh\u0129a.<\/li>\n<li><strong>X\u00e1c th\u1ef1c l\u1eabn nhau (Mutual Authentication):<\/strong> \u0110\u00e2y l\u00e0 l\u00e1 ch\u1eafn th\u00e9p gi\u00fap ng\u0103n ch\u1eb7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng Man-in-the-Middle (MITM). Client bi\u1ebft ch\u1eafc m\u00ecnh \u0111ang giao ti\u1ebfp v\u1edbi \u0111\u00fang Server.<\/li>\n<li><strong>Hi\u1ec7u su\u1ea5t v\u00e0 T\u1ed1c \u0111\u1ed9:<\/strong> Sau khi \u0111\u00e3 c\u00f3 v\u00e9 TGT, Client c\u00f3 th\u1ec3 xin v\u00e9 d\u1ecbch v\u1ee5 r\u1ea5t nhanh. Server kh\u00f4ng c\u1ea7n li\u00ean l\u1ea1c l\u1ea1i v\u1edbi Domain Controller (DC) \u0111\u1ec3 x\u00e1c th\u1ef1c t\u1eebng y\u00eau c\u1ea7u, gi\u00fap gi\u1ea3m t\u1ea3i cho DC trong c\u00e1c h\u1ec7 th\u1ed1ng l\u1edbn.<\/li>\n<li><strong>H\u1ed7 tr\u1ee3 Single Sign-On (SSO):<\/strong> Tr\u1ea3i nghi\u1ec7m ng\u01b0\u1eddi d\u00f9ng \u0111\u01b0\u1ee3c n\u00e2ng cao \u0111\u00e1ng k\u1ec3. Nh\u00e2n vi\u00ean t\u1ea1i <strong>InterData<\/strong> hay b\u1ea5t k\u1ef3 doanh nghi\u1ec7p n\u00e0o ch\u1ec9 c\u1ea7n nh\u1edb m\u1ed9t m\u1eadt kh\u1ea9u duy nh\u1ea5t \u0111\u1ec3 truy c\u1eadp v\u00e0o Email, File Server, CRM, v\u00e0 ERP.<\/li>\n<li><strong>Chu\u1ea9n h\u00f3a m\u1edf:<\/strong> M\u1eb7c d\u00f9 Microsoft c\u00f3 phi\u00ean b\u1ea3n ri\u00eang, nh\u01b0ng c\u1ed1t l\u00f5i Kerberos d\u1ef1a tr\u00ean chu\u1ea9n RFC c\u00f4ng khai, cho ph\u00e9p kh\u1ea3 n\u0103ng t\u01b0\u01a1ng t\u00e1c (interoperability) gi\u1eefa c\u00e1c h\u1ec7 \u0111i\u1ec1u h\u00e0nh kh\u00e1c nhau (Windows client x\u00e1c th\u1ef1c v\u1edbi Linux server v\u00e0 ng\u01b0\u1ee3c l\u1ea1i).<\/li>\n<\/ul>\n<figure id=\"attachment_36500\" aria-describedby=\"caption-attachment-36500\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-36500\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Uu-va-Nhuoc-diem-cua-giao-thuc-Kerberos.jpg\" alt=\"\u01afu v\u00e0 Nh\u01b0\u1ee3c \u0111i\u1ec3m c\u1ee7a giao th\u1ee9c Kerberos\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Uu-va-Nhuoc-diem-cua-giao-thuc-Kerberos.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Uu-va-Nhuoc-diem-cua-giao-thuc-Kerberos-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Uu-va-Nhuoc-diem-cua-giao-thuc-Kerberos-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-36500\" class=\"wp-caption-text\">\u01afu v\u00e0 Nh\u01b0\u1ee3c \u0111i\u1ec3m c\u1ee7a giao th\u1ee9c Kerberos<\/figcaption><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"Nhuoc-diem-Thach-thuc\"><\/span>Nh\u01b0\u1ee3c \u0111i\u1ec3m &amp; Th\u00e1ch th\u1ee9c<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong>\u0110i\u1ec3m ch\u1ebft duy nh\u1ea5t (Single Point of Failure):<\/strong> Do m\u1ecdi qu\u00e1 tr\u00ecnh x\u00e1c th\u1ef1c \u0111\u1ec1u ph\u1ea3i th\u00f4ng qua KDC, n\u1ebfu KDC g\u1eb7p s\u1ef1 c\u1ed1 (offline, qu\u00e1 t\u1ea3i), to\u00e0n b\u1ed9 h\u1ec7 th\u1ed1ng m\u1ea1ng s\u1ebd b\u1ecb t\u00ea li\u1ec7t. Kh\u00f4ng ai c\u00f3 th\u1ec3 \u0111\u0103ng nh\u1eadp hay truy c\u1eadp t\u00e0i nguy\u00ean.<\/li>\n<li>Gi\u1ea3i ph\u00e1p: C\u00e1c doanh nghi\u1ec7p lu\u00f4n ph\u1ea3i tri\u1ec3n khai \u00edt nh\u1ea5t hai Domain Controller\/KDC \u0111\u1ec3 d\u1ef1 ph\u00f2ng v\u00e0 c\u00e2n b\u1eb1ng t\u1ea3i.<\/li>\n<li><strong>Y\u00eau c\u1ea7u \u0111\u1ed3ng b\u1ed9 th\u1eddi gian (Time Synchronization):<\/strong> \u0110\u00e2y l\u00e0 y\u1ebfu t\u1ed1 s\u1ed1ng c\u00f2n. V\u00e9 Kerberos ch\u1ee9a th\u00f4ng tin th\u1eddi gian (timestamp) \u0111\u1ec3 ch\u1ed1ng t\u1ea5n c\u00f4ng ph\u00e1t l\u1ea1i (Replay Attack). N\u1ebfu \u0111\u1ed3ng h\u1ed3 gi\u1eefa Client, Server v\u00e0 KDC l\u1ec7ch nhau qu\u00e1 m\u1ee9c quy \u0111\u1ecbnh (m\u1eb7c \u0111\u1ecbnh l\u00e0 5 ph\u00fat), qu\u00e1 tr\u00ecnh x\u00e1c th\u1ef1c s\u1ebd th\u1ea5t b\u1ea1i ngay l\u1eadp t\u1ee9c. Giao th\u1ee9c NTP (Network Time Protocol) l\u00e0 b\u1eaft bu\u1ed9c ph\u1ea3i c\u00f3.<\/li>\n<li><strong>Ph\u1ee9c t\u1ea1p trong tri\u1ec3n khai v\u00e0 qu\u1ea3n tr\u1ecb:<\/strong> Vi\u1ec7c c\u1ea5u h\u00ecnh Kerberos \u0111\u00f2i h\u1ecfi ki\u1ebfn th\u1ee9c s\u00e2u. C\u00e1c kh\u00e1i ni\u1ec7m nh\u01b0 SPN (Service Principal Name), Keytab file th\u01b0\u1eddng g\u00e2y kh\u00f3 kh\u0103n cho ng\u01b0\u1eddi m\u1edbi. N\u1ebfu c\u1ea5u h\u00ecnh sai SPN, x\u00e1c th\u1ef1c s\u1ebd r\u01a1i v\u1ec1 NTLM ho\u1eb7c b\u00e1o l\u1ed7i.<\/li>\n<li><strong>Kh\u00f3 kh\u0103n trong m\u00f4i tr\u01b0\u1eddng Internet:<\/strong> Kerberos \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf t\u1ed1i \u01b0u cho m\u1ea1ng n\u1ed9i b\u1ed9 (Intranet) ho\u1eb7c qua VPN. Vi\u1ec7c tri\u1ec3n khai Kerberos tr\u1ef1c ti\u1ebfp qua Internet c\u00f4ng c\u1ed9ng g\u1eb7p nhi\u1ec1u tr\u1edf ng\u1ea1i v\u1ec1 t\u01b0\u1eddng l\u1eeda (Firewall) v\u00e0 NAT.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Kerberos-co-the-bi-tan-cong-khong\"><\/span>Kerberos c\u00f3 th\u1ec3 b\u1ecb t\u1ea5n c\u00f4ng kh\u00f4ng?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kerberos, gi\u1ed1ng nh\u01b0 b\u1ea5t k\u1ef3 m\u00f4 h\u00ecnh b\u1ea3o m\u1eadt n\u00e0o kh\u00e1c, kh\u00f4ng th\u1ec3 \u0111\u1ea3m b\u1ea3o an to\u00e0n tuy\u1ec7t \u0111\u1ed1i 100%. V\u00ec Kerberos l\u00e0 giao th\u1ee9c x\u00e1c th\u1ef1c \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i, tin t\u1eb7c \u0111\u00e3 t\u00ecm ra nhi\u1ec1u c\u00e1ch \u0111\u1ec3 v\u01b0\u1ee3t qua n\u00f3. Ph\u1ea7n l\u1edbn c\u00e1c h\u00ecnh th\u1ee9c t\u1ea5n c\u00f4ng n\u00e0y li\u00ean quan \u0111\u1ebfn vi\u1ec7c l\u00e0m gi\u1ea3 ticket, s\u1eed d\u1ee5ng m\u00e3 \u0111\u1ed9c h\u1ea1 c\u1ea5p m\u00e3 h\u00f3a v\u00e0 d\u00f2 \u0111o\u00e1n m\u1eadt kh\u1ea9u.<\/p>\n<p>Trong nhi\u1ec1u tr\u01b0\u1eddng h\u1ee3p, tin t\u1eb7c s\u1ebd k\u1ebft h\u1ee3p c\u00e1c ph\u01b0\u01a1ng ph\u00e1p n\u00e0y \u0111\u1ec3 x\u00e2m nh\u1eadp h\u1ec7 th\u1ed1ng. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 nh\u1eefng k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng Kerberos ph\u1ed5 bi\u1ebfn nh\u1ea5t.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Pass-the-Ticket\"><\/span>Pass the Ticket<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u1ede ph\u01b0\u01a1ng ph\u00e1p n\u00e0y, k\u1ebb t\u1ea5n c\u00f4ng s\u1ebd gi\u1ea3 m\u1ea1o session key v\u00e0 s\u1eed d\u1ee5ng th\u00f4ng tin x\u00e1c th\u1ef1c b\u1ecb l\u00e0m gi\u1ea3. Tin t\u1eb7c c\u00f3 th\u1ec3 t\u1ea1o ra \u201cgolden ticket\u201d ho\u1eb7c \u201csilver ticket\u201d \u0111\u1ec3 chi\u1ebfm quy\u1ec1n truy c\u1eadp to\u00e0n b\u1ed9 domain ho\u1eb7c truy c\u1eadp v\u00e0o m\u1ed9t d\u1ecbch v\u1ee5 c\u1ee5 th\u1ec3.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Tan-cong-Credential-Stuffing-hoac-Brute-Force\"><\/span>T\u1ea5n c\u00f4ng Credential Stuffing ho\u1eb7c Brute Force<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u0110\u00e2y l\u00e0 h\u00ecnh th\u1ee9c t\u1ea5n c\u00f4ng t\u1ef1 \u0111\u1ed9ng, \u0111\u01b0\u1ee3c l\u1eb7p \u0111i l\u1eb7p l\u1ea1i nh\u1eb1m \u0111o\u00e1n m\u1eadt kh\u1ea9u c\u1ee7a ng\u01b0\u1eddi d\u00f9ng. Ph\u1ea7n l\u1edbn c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ki\u1ec3u n\u00e0y s\u1ebd nh\u1eafm v\u00e0o d\u1ecbch v\u1ee5 c\u1ea5p ph\u00e1t ticket (TGS) ho\u1eb7c d\u1ecbch v\u1ee5 c\u1ea5p ticket ban \u0111\u1ea7u (AS).<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Ha-cap-ma-hoa-Encryption-Downgrade\"><\/span>H\u1ea1 c\u1ea5p m\u00e3 h\u00f3a (Encryption Downgrade)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>H\u1ea1 c\u1ea5p m\u00e3 h\u00f3a \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n b\u1eb1ng m\u00e3 \u0111\u1ed9c \u201cskeleton key\u201d &#8211; m\u1ed9t lo\u1ea1i malware c\u00f3 th\u1ec3 b\u1ecf qua Kerberos n\u1ebfu k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 c\u00f3 quy\u1ec1n qu\u1ea3n tr\u1ecb (admin access).<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Tan-cong-DC-Shadow\"><\/span>T\u1ea5n c\u00f4ng DC Shadow<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y x\u1ea3y ra khi tin t\u1eb7c chi\u1ebfm \u0111\u01b0\u1ee3c quy\u1ec1n c\u1ea7n thi\u1ebft \u0111\u1ec3 thi\u1ebft l\u1eadp m\u1ed9t Domain Controller (DC) gi\u1ea3 m\u1ea1o. DC n\u00e0y sau \u0111\u00f3 \u0111\u01b0\u1ee3c d\u00f9ng \u0111\u1ec3 ti\u1ebfp t\u1ee5c x\u00e2m nh\u1eadp s\u00e2u h\u01a1n v\u00e0o h\u1ec7 th\u1ed1ng.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Ung-dung-cua-Kerberos-trong-thuc-te\"><\/span>\u1ee8ng d\u1ee5ng c\u1ee7a Kerberos trong th\u1ef1c t\u1ebf<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kerberos \u0111\u01b0\u1ee3c tri\u1ec3n khai r\u1ed9ng r\u00e3i trong nhi\u1ec1u h\u1ec7 th\u1ed1ng v\u00e0 n\u1ec1n t\u1ea3ng kh\u00e1c nhau, c\u1ee5 th\u1ec3 nh\u01b0 sau:<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Kerberos-trong-he-dieu-hanh\"><\/span>Kerberos trong h\u1ec7 \u0111i\u1ec1u h\u00e0nh<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Kerberos \u0111\u01b0\u1ee3c t\u00edch h\u1ee3p s\u1eb5n trong c\u00e1c h\u1ec7 \u0111i\u1ec1u h\u00e0nh ph\u1ed5 bi\u1ebfn nh\u01b0 Windows, Linux v\u00e0 macOS. Nh\u1edd \u0111\u00f3, ng\u01b0\u1eddi d\u00f9ng c\u00f3 th\u1ec3 d\u00f9ng ch\u00ednh t\u00e0i kho\u1ea3n \u0111\u0103ng nh\u1eadp c\u1ee7a m\u00ecnh \u0111\u1ec3 truy c\u1eadp c\u00e1c t\u00e0i nguy\u00ean m\u1ea1ng th\u00f4ng qua c\u01a1 ch\u1ebf x\u00e1c th\u1ef1c c\u1ee7a Kerberos.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Kerberos-trong-ung-dung-may-chu\"><\/span>Kerberos trong \u1ee9ng d\u1ee5ng m\u00e1y ch\u1ee7<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Nhi\u1ec1u \u1ee9ng d\u1ee5ng m\u00e1y ch\u1ee7 nh\u01b0 Apache ho\u1eb7c MySQL c\u00f3 th\u1ec3 t\u00edch h\u1ee3p Kerberos \u0111\u1ec3 th\u1ef1c hi\u1ec7n x\u00e1c th\u1ef1c ng\u01b0\u1eddi d\u00f9ng v\u00e0 t\u0103ng c\u01b0\u1eddng b\u1ea3o m\u1eadt d\u1eef li\u1ec7u.<\/p>\n<figure id=\"attachment_36501\" aria-describedby=\"caption-attachment-36501\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-36501\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Ung-dung-cua-Kerberos-trong-thuc-te.jpg\" alt=\"\u1ee8ng d\u1ee5ng c\u1ee7a Kerberos trong th\u1ef1c t\u1ebf\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Ung-dung-cua-Kerberos-trong-thuc-te.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Ung-dung-cua-Kerberos-trong-thuc-te-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2025\/12\/Ung-dung-cua-Kerberos-trong-thuc-te-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-36501\" class=\"wp-caption-text\">\u1ee8ng d\u1ee5ng c\u1ee7a Kerberos trong th\u1ef1c t\u1ebf<\/figcaption><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"Kerberos-trong-ung-dung-email\"><\/span>Kerberos trong \u1ee9ng d\u1ee5ng email<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>C\u00e1c n\u1ec1n t\u1ea3ng email nh\u01b0 Microsoft Exchange v\u00e0 Lotus Notes c\u0169ng s\u1eed d\u1ee5ng Kerberos \u0111\u1ec3 x\u00e1c th\u1ef1c ng\u01b0\u1eddi d\u00f9ng v\u00e0 \u0111\u1ea3m b\u1ea3o an to\u00e0n cho th\u00f4ng tin trao \u0111\u1ed5i qua email.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Kerberos-trong-ung-dung-web\"><\/span>Kerberos trong \u1ee9ng d\u1ee5ng web<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>M\u1ed9t s\u1ed1 \u1ee9ng d\u1ee5ng web nh\u01b0 WordPress hay Drupal h\u1ed7 tr\u1ee3 Kerberos nh\u1eb1m x\u00e1c th\u1ef1c ng\u01b0\u1eddi d\u00f9ng v\u00e0 b\u1ea3o v\u1ec7 d\u1eef li\u1ec7u tr\u00ean h\u1ec7 th\u1ed1ng web.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Kerberos-trong-he-thong-luu-tru\"><\/span>Kerberos trong h\u1ec7 th\u1ed1ng l\u01b0u tr\u1eef<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Kerberos c\u00f2n \u0111\u01b0\u1ee3c \u1ee9ng d\u1ee5ng trong h\u1ec7 th\u1ed1ng l\u01b0u tr\u1eef, \u0111i\u1ec3n h\u00ecnh nh\u01b0 NFS (Network File System), h\u1ed7 tr\u1ee3 x\u00e1c th\u1ef1c ng\u01b0\u1eddi d\u00f9ng v\u00e0 b\u1ea3o m\u1eadt d\u1eef li\u1ec7u truy c\u1eadp.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Tuong-lai-cua-giao-thuc-Kerberos\"><\/span>T\u01b0\u01a1ng lai c\u1ee7a giao th\u1ee9c Kerberos<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Hi\u1ec7n nay, Kerberos v\u1eabn \u0111\u01b0\u1ee3c tri\u1ec3n khai r\u1ed9ng r\u00e3i trong nhi\u1ec1u h\u1ec7 th\u1ed1ng doanh nghi\u1ec7p nh\u1edd kh\u1ea3 n\u0103ng b\u1ea3o m\u1eadt t\u1ed1t v\u00e0 t\u00ednh \u1ed5n \u0111\u1ecbnh. Tuy nhi\u00ean, s\u1ef1 xu\u1ea5t hi\u1ec7n c\u1ee7a nh\u1eefng c\u00f4ng ngh\u1ec7 m\u1edbi nh\u01b0 x\u00e1c th\u1ef1c kh\u00f4ng m\u1eadt kh\u1ea9u (passwordless authentication), blockchain hay c\u00e1c giao th\u1ee9c b\u1ea3o m\u1eadt hi\u1ec7n \u0111\u1ea1i \u0111ang t\u1ea1o ra nh\u1eefng th\u00e1ch th\u1ee9c nh\u1ea5t \u0111\u1ecbnh cho Kerberos.<\/p>\n<p>M\u1eb7c d\u00f9 v\u1eady, v\u00ec \u0111\u00e3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng t\u1eeb l\u00e2u v\u00e0 v\u1eabn \u0111\u01b0\u1ee3c duy tr\u00ec \u0111\u1ec1u \u0111\u1eb7n, Kerberos nhi\u1ec1u kh\u1ea3 n\u0103ng s\u1ebd ti\u1ebfp t\u1ee5c t\u1ed3n t\u1ea1i song song v\u1edbi c\u00e1c gi\u1ea3i ph\u00e1p b\u1ea3o m\u1eadt m\u1edbi, thay v\u00ec b\u1ecb thay th\u1ebf ho\u00e0n to\u00e0n trong m\u1ed9t s\u1edbm m\u1ed9t chi\u1ec1u.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Kerberos-co-an-toan-khong-Rui-ro-bao-mat-can-luu-y\"><\/span>Kerberos c\u00f3 an to\u00e0n kh\u00f4ng? R\u1ee7i ro b\u1ea3o m\u1eadt c\u1ea7n l\u01b0u \u00fd<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>M\u1eb7c d\u00f9 <strong>giao th\u1ee9c Kerberos<\/strong>\u00a0th\u01b0\u1eddng \u0111i k\u00e8m v\u1edbi c\u1ee5m t\u1eeb &#8220;b\u1ea3o m\u1eadt cao&#8221;, nh\u01b0ng kh\u00f4ng c\u00f3 h\u1ec7 th\u1ed1ng n\u00e0o l\u00e0 b\u1ea5t kh\u1ea3 x\u00e2m ph\u1ea1m. K\u1ebb t\u1ea5n c\u00f4ng ng\u00e0y c\u00e0ng tinh vi v\u00e0 \u0111\u00e3 ph\u00e1t tri\u1ec3n c\u00e1c k\u1ef9 thu\u1eadt nh\u1eafm tr\u1ef1c ti\u1ebfp v\u00e0o Kerberos.<\/p>\n<p>D\u01b0\u1edbi \u0111\u00e2y l\u00e0 c\u00e1c <strong>t\u1ea5n c\u00f4ng Kerberos<\/strong> n\u1ed5i ti\u1ebfng m\u00e0 c\u00e1c chuy\u00ean gia b\u1ea3o m\u1eadt t\u1ea1i <strong>InterData<\/strong> lu\u00f4n c\u1ea3nh b\u00e1o kh\u00e1ch h\u00e0ng:<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Kerberoasting\"><\/span>Kerberoasting<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><strong>Kerberoasting<\/strong> l\u00e0 m\u1ed9t k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng cho ph\u00e9p hacker tr\u00edch xu\u1ea5t m\u1eadt kh\u1ea9u c\u1ee7a c\u00e1c t\u00e0i kho\u1ea3n d\u1ecbch v\u1ee5 (Service Account) trong Active Directory.<\/p>\n<ul>\n<li>C\u01a1 ch\u1ebf: B\u1ea5t k\u1ef3 ng\u01b0\u1eddi d\u00f9ng h\u1ee3p l\u1ec7 n\u00e0o c\u0169ng c\u00f3 th\u1ec3 y\u00eau c\u1ea7u m\u1ed9t v\u00e9 d\u1ecbch v\u1ee5 (Service Ticket) cho m\u1ed9t d\u1ecbch v\u1ee5 b\u1ea5t k\u1ef3 trong m\u1ea1ng. KDC s\u1ebd tr\u1ea3 v\u1ec1 v\u00e9 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a b\u1eb1ng m\u1eadt kh\u1ea9u c\u1ee7a t\u00e0i kho\u1ea3n ch\u1ea1y d\u1ecbch v\u1ee5 \u0111\u00f3.<\/li>\n<li>Khai th\u00e1c: Hacker y\u00eau c\u1ea7u v\u00e9, mang v\u00e9 \u0111\u00f3 v\u1ec1 m\u00e1y c\u00e1 nh\u00e2n v\u00e0 d\u00f9ng c\u00f4ng c\u1ee5 offline (nh\u01b0 Hashcat) \u0111\u1ec3 d\u00f2 t\u00ecm m\u1eadt kh\u1ea9u (Brute-force). N\u1ebfu t\u00e0i kho\u1ea3n d\u1ecbch v\u1ee5 \u0111\u1eb7t m\u1eadt kh\u1ea9u y\u1ebfu, hacker s\u1ebd t\u00ecm ra m\u1eadt kh\u1ea9u trong th\u1eddi gian ng\u1eafn.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Golden-Ticket-Attack\"><\/span>Golden Ticket Attack<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u0110\u00e2y l\u00e0 c\u01a1n \u00e1c m\u1ed9ng c\u1ee7a m\u1ecdi qu\u1ea3n tr\u1ecb vi\u00ean. N\u1ebfu hacker chi\u1ebfm \u0111\u01b0\u1ee3c t\u00e0i kho\u1ea3n <strong>KRBTGT<\/strong> (t\u00e0i kho\u1ea3n qu\u1ea3n l\u00fd KDC), ch\u00fang c\u00f3 th\u1ec3 t\u1ea1o ra m\u1ed9t <strong>Golden Ticket<\/strong>.<\/p>\n<ul>\n<li>V\u00e9 v\u00e0ng n\u00e0y c\u00f3 quy\u1ec1n l\u1ef1c t\u1ed1i th\u01b0\u1ee3ng, cho ph\u00e9p hacker truy c\u1eadp v\u00e0o b\u1ea5t k\u1ef3 t\u00e0i nguy\u00ean n\u00e0o, d\u01b0\u1edbi danh ngh\u0129a b\u1ea5t k\u1ef3 ai (k\u1ec3 c\u1ea3 Domain Admin), v\u00e0 v\u00e9 n\u00e0y c\u00f3 th\u1ec3 c\u00f3 h\u1ea1n d\u00f9ng l\u00ean t\u1edbi&#8230; 10 n\u0103m.<\/li>\n<li>Nguy hi\u1ec3m h\u01a1n, k\u1ec3 c\u1ea3 khi b\u1ea1n \u0111\u1ed5i m\u1eadt kh\u1ea9u ng\u01b0\u1eddi d\u00f9ng, Golden Ticket v\u1eabn c\u00f3 hi\u1ec7u l\u1ef1c.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Cach-bao-ve-he-thong-Kerberos\"><\/span>C\u00e1ch b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng Kerberos<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ol>\n<li><strong>M\u1eadt kh\u1ea9u m\u1ea1nh:<\/strong> \u0110\u1eb7t m\u1eadt kh\u1ea9u d\u00e0i v\u00e0 ph\u1ee9c t\u1ea1p cho c\u00e1c t\u00e0i kho\u1ea3n d\u1ecbch v\u1ee5 \u0111\u1ec3 ch\u1ed1ng Kerberoasting.<\/li>\n<li><strong>B\u1ea3o v\u1ec7 t\u00e0i kho\u1ea3n KRBTGT:<\/strong> Thay \u0111\u1ed5i m\u1eadt kh\u1ea9u t\u00e0i kho\u1ea3n KRBTGT \u0111\u1ecbnh k\u1ef3 (Microsoft khuy\u1ebfn ngh\u1ecb 180 ng\u00e0y\/l\u1ea7n).<\/li>\n<li><strong>Gi\u00e1m s\u00e1t:<\/strong> Theo d\u00f5i log h\u1ec7 th\u1ed1ng \u0111\u1ec3 ph\u00e1t hi\u1ec7n c\u00e1c h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng nh\u01b0 y\u00eau c\u1ea7u v\u00e9 s\u1ed1 l\u01b0\u1ee3ng l\u1edbn ho\u1eb7c v\u00e9 c\u00f3 th\u1eddi h\u1ea1n b\u1ea5t th\u01b0\u1eddng.<\/li>\n<li><strong>Privileged Access Management (PAM):<\/strong> H\u1ea1n ch\u1ebf quy\u1ec1n h\u1ea1n c\u1ee7a c\u00e1c t\u00e0i kho\u1ea3n qu\u1ea3n tr\u1ecb.<\/li>\n<\/ol>\n<p>Trong k\u1ef7 nguy\u00ean s\u1ed1 h\u00f3a hi\u1ec7n nay, Kerberos \u0111\u00f3ng vai tr\u00f2 nh\u01b0 m\u1ed9t &#8220;ng\u01b0\u1eddi g\u00e1c c\u1ed5ng&#8221; trung th\u00e0nh v\u00e0 m\u1eabn c\u00e1n, \u0111\u1ea3m b\u1ea3o r\u1eb1ng m\u1ecdi k\u1ebft n\u1ed1i trong doanh nghi\u1ec7p c\u1ee7a b\u1ea1n \u0111\u1ec1u minh b\u1ea1ch v\u00e0 an to\u00e0n. D\u00f9 v\u1eabn t\u1ed3n t\u1ea1i nh\u1eefng th\u00e1ch th\u1ee9c nh\u01b0 \u0111\u1ed3ng b\u1ed9 th\u1eddi gian hay r\u1ee7i ro t\u1ea5n c\u00f4ng Golden Ticket, nh\u01b0ng n\u1ebfu \u0111\u01b0\u1ee3c c\u1ea5u h\u00ecnh \u0111\u00fang c\u00e1ch v\u00e0 gi\u00e1m s\u00e1t ch\u1eb7t ch\u1ebd, Kerberos v\u1eabn l\u00e0 ti\u00eau chu\u1ea9n v\u00e0ng kh\u00f4ng th\u1ec3 thay th\u1ebf so v\u1edbi c\u00e1c giao th\u1ee9c c\u0169 nh\u01b0 NTLM.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trong c\u00e1c h\u1ec7 th\u1ed1ng doanh nghi\u1ec7p, vi\u1ec7c \u0111\u1ea3m b\u1ea3o ng\u01b0\u1eddi d\u00f9ng \u0111\u0103ng nh\u1eadp \u0111\u00fang danh t\u00ednh v\u00e0 d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c truy\u1ec1n \u0111i an to\u00e0n l\u00e0 y\u1ebfu t\u1ed1 s\u1ed1ng c\u00f2n. \u0110\u00e2y c\u0169ng l\u00e0 l\u00fd do giao th\u1ee9c Kerberos tr\u1edf th\u00e0nh l\u1ef1a ch\u1ecdn m\u1eb7c \u0111\u1ecbnh trong nhi\u1ec1u n\u1ec1n t\u1ea3ng hi\u1ec7n \u0111\u1ea1i, t\u1eeb Windows Server, Linux, \u0111\u1ebfn h\u1ec7<\/p>\n","protected":false},"author":11,"featured_media":36502,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[151],"tags":[],"class_list":["post-36483","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mang"],"_links":{"self":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/36483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/comments?post=36483"}],"version-history":[{"count":2,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/36483\/revisions"}],"predecessor-version":[{"id":36504,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/36483\/revisions\/36504"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/media\/36502"}],"wp:attachment":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/media?parent=36483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/categories?post=36483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/tags?post=36483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}