Download
1 / 8
80 likes | 179 Views
Client C. Client C. KAS. KAS. TGS. TGS. Server. Server. Log on. Authenticate C for U. Authenticate C for U. Credentials ( TGT ). Credentials ( TGT ). Want to use S; here’s the TGT. Want to use S; here’s the TGT. 1 st time. 1 st time. Credentials to use S ( ST ).
E N D
ClientC ClientC KAS KAS TGS TGS Server Server Log on Authenticate C for U Authenticate C for U Credentials (TGT) Credentials (TGT) Want to use S; here’s the TGT Want to use S; here’s the TGT 1st time 1st time Credentials to use S (ST) Credentials to use S (ST) Want to use S; here’s the ST Want to use S; here’s the ST othertimes othertimes Access request Access request Ok Ok Application messages UserU ServiceS Kerberos
C KAS T S Authenticate C for U C, T, n1 n1 TGT = {AK,C}kT ST = {SK,C}kS AK tk C, TGT, {AK,n1,T}kC Credentials (TGT) n2 tc … TGT, {C,t}AK, C, S, n2 Want to use S; here’s the TGT C, ST, {SK,n2,S}AK Credentials to use S (ST) t’c … ST, {C,t’}SK Want to use S; here’s the ST {t’}SK Ok
KDC1 KDC2 KDCn-1 KDCn C . . . S R1 R2 Rn-1 Rn IR ST1 =TGT2 =TGT3 ST2 . . . =TGTn-1 STn-2 =TGTn STn-1 STn Application Messages
C KAS T S CertC, [tC, n2]skC, C, T, n1 {m}k: shared-key encryption {{m}}pk: public-key encryption [m]sk : digital signature {{CertK, [k, n2]skK}}pkC,C, TGT, {AK,n1,T}k TGT, {C,t}AK, C, S, n2 C, ST, {SK,n2,S}AK ST, {C,t’}SK {t’}SK TGT = {AK,C}kT ST = {SK,C}kS
KAS C CertC, [tC, n2, DHpubC]skC, C, T, n1 CertK, [DHpubK,n2]skK,C, TGT, {AK,n1, tk,T}k
C I KAS CertC, [tC, n2]skC, C, T, n1 CertI,[tC, n2]skI, C, T, n1 {{CertK, [k, n2]skK}}pkI,I, TGT, {AK,n1,T}k {{CertK, [k, n2]skK}}pkC, C, TGT, {AK,n1,T}k TGT = {AK, I}kT
Can betempered with Opaqueto C (TGT) {{CertK, [k, n2]skK}}pkI,I, {AK, I}kT, {AK,n1,T}k
C KAS CertC, [tC, n2]skC, C, T, n1 {{CertK, [k,cksum]skK}}pkC,C, TGT, {AK,n1,T}k cksum = Hk(CertC, [tC, n2]skC, C, T, n1)
![[u] [u:] [ou]](https://cdn4.slideserve.com/8524074/slide1-dt.jpg)