免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 1440 | 回复: 0

KERBEROS AUTHENTICATION STEPS [复制链接]

论坛徽章:
0
发表于 2011-05-25 17:02 |显示全部楼层
本帖最后由 ancharn 于 2011-05-25 17:04 编辑

KERBEROS AUTHENTICATION STEPS
# Mailto: manualpage at gmail.com

STEP 1: INITIAL Kerberos AUTHENTICATION
1. User enters username & kerberos_password to login program.
2. Login program converts the username to a principal name, then send login
   request(ask for TGT) for that principal to the KDC's "authentication service".
        # Ticket Grant Ticket, or TGT for short.
        ---pre-auth---
        a. Login program send UserInputPwd(time) to KDC
        b. KDC UserRealPwd(UserInputPwd(time))
        c. time = time?
        Note: so, the time sync is very important, use NTP to keep time sync.
3. KDC sends the login program a TGT encrypted using the user's real password.
        ---Process---
        a. KDC generates a secret session key(TGT), KDC keeps one copy.
        b. TGT was encrypted using the password that belongs to the user's principal
             as the encryption key.
        c. KDC send the UserRealPwd(TGT) copy back to login program.
4. If the login program can decrypt the TGT with the password provided by the user
   entered as the decryption key, the user is authenticated.
        # Login program decode it: UserInputPwd(UserRealPwd(TGT)) = TGT
5. User got the TGT for later use.

STEP 2: TICKET AUTHENTICATION
1. Client sends request for service ticket to KDC's "ticket granting service".
2. KDC generates another secret session key that will be used as the service ticket,
   and sends client two identical copies.
        a. One encrypted with the user's current TGT:
                TGT(service_ticket)
        b. One encrypted with the password of the network service's principal:
                SrvPwd(service_ticket)
3. Client User decrypt the first copy(TGT(service ticket)) using its current TGT,
   then user got the ticket, "service_ticket".
        # Decrypt it: TGT(TGT(service_ticket)) = service_ticket.
4. Client create authenticator by encrypting a current timestamp with the decrypted
   service ticket.
        # authenticator = service_ticket(timestamp)
5. Client sends the second copy SrvPwd(service_ticket) and the authenticator to the
   network service host who privide the servie.
        # Note: SrvPwd(service_ticket) is still encrypted with the network service's
        password.
6. The network service uses the password stored in its keytab file to decrypt the
   second copy of the ticket, and network servie got the "service_ticket"
        # Decrypt: SrvPwd(SrvPwd(service_ticket)) = service_ticket
7. The network service uses the decrypted "service_ticket" to decrypt the
   authenticator: service_ticket(service_ticket(timestamp)).
                               
# NOTE:
  Since only the service and the KDC know the password, if network service can
  decrypt the SrvPwd(service_ticket) and got the "service_ticket", the service
  knows the "service_ticket" came from the KDC.
  If the network service can decrypt the authenticator using the decrypted
  "service_ticket", then the network service knows the user's client decrypted its
  "service_ticket", and thereforce knows its own password on the same KDC.
  So, the "service_ticket" which user got = the "service_ticket" which network
  service decrypted, the user can use this service.
  So, "service_ticket"=secret key=symetric key, for user and service use, and
  TGT=secret key=symetric key, for user and KDC use.
#
# KERBEROS AUTHENTICATION STEPS

Reference resource:
Designing an Authentication System:
a Dialogue in Four Scenes
http://www.mit.edu/~kerberos/dialogue.html
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

DTCC2020中国数据库技术大会

【架构革新 高效可控】2020年12月21日-23日第十一届中国数据库技术大会将在北京隆重召开。

大会设置2大主会场,20+技术专场,将邀请超百位行业专家,重点围绕数据架构、AI与大数据、传统企业数据库实践和国产开源数据库等内容展开分享和探讨,为广大数据领域从业人士提供一场年度盛会和交流平台。

http://dtcc.it168.com


大会官网>>
  

北京盛拓优讯信息技术有限公司. 版权所有 16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122
中国互联网协会会员  联系我们:huangweiwei@it168.com
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP