Hello Friends,
I need a clarity that how user key is validated during Logon process. Below 2 paragraph I have copied from a link and I need some visibility based on below 2 paragraph. I have three question based on this. Please help me to understand by answering three questions at bottom
Reference Link(https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx)
A user key is derived from a password. LSA converts the plaintext password to a cryptographic key by passing the text of the password through a cryptographic function. The result of the cryptographic function is the user key.
Now LSA saves the user key in the user credentials cache, where it can be retrieved later if required.
The KDC gets its copy of the user key from the user's record in its account database. When it receives a request from the Kerberos client on the user's workstation, the KDC searches its database for the user, pulls up the account record, and takes the user key from a field in the record.
This process—computing one copy of the key from a password, fetching another copy of the key from a database—actually takes place only once, when a user initially logs on to the network. Immediately after accepting the user's password and deriving the user's long-term key, the Kerberos client on the workstation requests a service ticket and TGS session key that it can use in subsequent transactions with the KDC during this logon session.
The KDC decrypts the pre-authentication data and evaluates the timestamp inside. If the timestamp passes the test, the KDC can be assured that the pre-authentication data was encrypted with the user key and thus verify that the user is genuine.
After it has verified the user's identity, the KDC creates credentials that the Kerberos client on the workstation can present to the ticket-granting service. For more information about how domain controllers create credentials in a Windows environment,
Question 1. User key received from Kerberos client is validated/compared with user key in KDC database. Does it mean that every time password is passed through cryptographic function generates same set of user key?
Question 2. If same set of user key is not generated every time then how user key from Kerberos client is validated with KDC database.
Question 3. If same set of user key is derived every time password is passed through cryptographic function then user key can be easily tracked and can be used in next user authentication process?