Kerberos authentication
This presentation is the property of its rightful owner.
Sponsored Links
1 / 9

Kerberos Authentication PowerPoint PPT Presentation


  • 65 Views
  • Uploaded on
  • Presentation posted in: General

Kerberos Authentication. Kerberos. Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed Mutual Authentication Credentials allow impersonation. Authorization. How does the authentication mechanism fit in authorization topology

Download Presentation

Kerberos Authentication

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Kerberos authentication

Kerberos Authentication


Kerberos

Kerberos

  • Requires shared secret with KDC ( perhaps not for PKINIT)

  • Shared session key established

  • Time synchronization needed

  • Mutual Authentication

  • Credentials allow impersonation


Authorization

Authorization

  • How does the authentication mechanism fit in authorization topology

  • Authorization based on authenticated identity (mapping may be needed)

  • Authorization within authentication messages (Kerberos auth data)

  • What are authorization messages bound to?


Kerberos with pull model 1

Kerberos with Pull Model 1

User Org

KDC

User Org

AAA

Server

TGT

AST

ID

AM

Secure Channel

Application

User

AST, Auth

OK

KDC:Kerberos Key Distribution Center

TGT:Ticket Granting Ticket

AST:Application Service Ticket

ID:Authenticate Identity

AM:Message Authorizing Application by User Org


Kerberos with pull model 2

Kerberos with Pull Model 2

User Org

KDC

User Org

Authorization

Server

UOST

UOST

UOSTAuth

TGT

AST

AM

AST,(TGTkey), TGT

ASTAuth

Application

User

OK

KDC:Kerberos Key Distribution Center

TGT:Ticket Granting Ticket

TGTKey: TGT key enc. w AST session key (KRB_CRED)

UOST:User Org Authorization Server Service Ticket

AST:Application Service Ticket

AM:Message Authorizing Application by User Org


Kerberos with pull model 3

Kerberos with Pull Model 3

User Org

KDC

User Org

Authorization

Server

UOST

Auth

TGT

UOST

AM

Application

User

UOST, Auth

OK

Secure Channel

KDC:Kerberos Key Distribution Center

TGT:Ticket Granting Ticket

UOST:User Org Authorization Server Service Ticket

Auth: Authenticator encrypted with session key

AM:Message Authorizing Application by User Org


Push example

Push Example

User Org

KDC

User Org

Authorization

Server

UOST

TGT

UOST

CERT

AST

Application

User

CERT

AST

OK

KDC:Kerberos Key Distribution Center

TGT:Ticket Granting Ticket

UOST:User Org Authorization Server Service Ticket

CERT:Authorization For User Signed By User Org / Bind to User principal or ????


Inter domain pull

Inter-Domain Pull

Application Org

KDC’

TR

User Org

KDC

TGT’

User Org

Authorization

Server

AST

TGT

TGT’

ID

AM

User

AST

Application

OK

KDC:User Org Kerberos Key Distribution Center

KDC’:Application Org Kerberos Key Distribution Center

TGT’:Application Org Ticket Granting Ticket

AST:Application Service Ticket

ID:Authenticate Identity

AM:Message Authorizing Application by User Org

TR:Trust Relationship


Kerberos inter realm

Kerberos Inter-Realm

Application Org

KDC’

TR

User Org

KDC

TGT’

TGT’

AST

TGT

User

AST

Application

OK


  • Login