Overview
Authentication Process
•
•
•Time stamp
•Nonce
Step | 2. | If the AS decrypts the message successfully, it authenticates the |
|
| requesting user and issues a TGT. The TGT contains the user name, a |
|
| session key for your use, and name of the server to be used for any |
|
| subsequent communication. The reply message is encrypted using your |
|
| secret key. |
Step | 3. | The client decrypts the message using your secret key. The TGT and the |
|
| session key from the message are stored in the client’s credential cache. |
|
| These credentials are used to obtain tickets for each network service the |
|
| principal wants to access. |
The Kerberos protocol exchange has the following important features:
•The authentication scheme does not require that the password be sent across the network, either in encrypted form or in clear text.
•The client (or any other user) cannot view or modify the contents of the TGT.
Step | 4. | To obtain access to a secured network service such as rlogin, rsh, rcp, |
|
| ftp, or telnet, the requesting client application uses the previously |
|
| obtained TGT in a dialogue with the TGS to obtain a service ticket. The |
|
| protocol is the same as used while obtaining the TGT, except that the |
|
| messages contain the name of the server and a copy of the previously |
|
| obtained TGT. |
Step | 5. | The TGS returns a new service ticket that the application client can use |
|
| to authenticate the service. |
Step | 6. | The application client tries to authenticate to the service on the |
|
| application server using the service ticket obtained from the TGS. |
The secure application validates the service ticket using the service key of the server that is present in the key tab file. Using the session key, the server decrypts the authenticator and verifies the identity of the user. It
Chapter 1 | 29 |