Kerberos Authentication - PowerPoint PPT Presentation

Kerberos authentication
Download
1 / 9

  • 80 Views
  • Uploaded on
  • Presentation posted in: General

Kerberos Authentication. Kerberos. Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed Mutual Authentication Credentials allow impersonation. Authorization. How does the authentication mechanism fit in authorization topology

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Kerberos Authentication

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Kerberos authentication

Kerberos Authentication


Kerberos

Kerberos

  • Requires shared secret with KDC ( perhaps not for PKINIT)

  • Shared session key established

  • Time synchronization needed

  • Mutual Authentication

  • Credentials allow impersonation


Authorization

Authorization

  • How does the authentication mechanism fit in authorization topology

  • Authorization based on authenticated identity (mapping may be needed)

  • Authorization within authentication messages (Kerberos auth data)

  • What are authorization messages bound to?


Kerberos with pull model 1

Kerberos with Pull Model 1

User Org

KDC

User Org

AAA

Server

TGT

AST

ID

AM

Secure Channel

Application

User

AST, Auth

OK

KDC:Kerberos Key Distribution Center

TGT:Ticket Granting Ticket

AST:Application Service Ticket

ID:Authenticate Identity

AM:Message Authorizing Application by User Org


Kerberos with pull model 2

Kerberos with Pull Model 2

User Org

KDC

User Org

Authorization

Server

UOST

UOST

UOSTAuth

TGT

AST

AM

AST,(TGTkey), TGT

ASTAuth

Application

User

OK

KDC:Kerberos Key Distribution Center

TGT:Ticket Granting Ticket

TGTKey: TGT key enc. w AST session key (KRB_CRED)

UOST:User Org Authorization Server Service Ticket

AST:Application Service Ticket

AM:Message Authorizing Application by User Org


Kerberos with pull model 3

Kerberos with Pull Model 3

User Org

KDC

User Org

Authorization

Server

UOST

Auth

TGT

UOST

AM

Application

User

UOST, Auth

OK

Secure Channel

KDC:Kerberos Key Distribution Center

TGT:Ticket Granting Ticket

UOST:User Org Authorization Server Service Ticket

Auth: Authenticator encrypted with session key

AM:Message Authorizing Application by User Org


Push example

Push Example

User Org

KDC

User Org

Authorization

Server

UOST

TGT

UOST

CERT

AST

Application

User

CERT

AST

OK

KDC:Kerberos Key Distribution Center

TGT:Ticket Granting Ticket

UOST:User Org Authorization Server Service Ticket

CERT:Authorization For User Signed By User Org / Bind to User principal or ????


Inter domain pull

Inter-Domain Pull

Application Org

KDC’

TR

User Org

KDC

TGT’

User Org

Authorization

Server

AST

TGT

TGT’

ID

AM

User

AST

Application

OK

KDC:User Org Kerberos Key Distribution Center

KDC’:Application Org Kerberos Key Distribution Center

TGT’:Application Org Ticket Granting Ticket

AST:Application Service Ticket

ID:Authenticate Identity

AM:Message Authorizing Application by User Org

TR:Trust Relationship


Kerberos inter realm

Kerberos Inter-Realm

Application Org

KDC’

TR

User Org

KDC

TGT’

TGT’

AST

TGT

User

AST

Application

OK


  • Login