Overview

 

 

Authentication Process

Step

3.

If the AS can decrypt the message successfully, it knows that the

 

 

requesting user is who they claim to be, and issues a TGT. The TGT

 

 

contains the name of the user, a session key to be used by the user and

 

 

the Server for any subsequent communication. The reply message is

 

 

encrypted using the user’s secret key.

Step

4.

The KDC decrypts the message using the user’s secret key. If the

 

 

application can successfully decrypt the message, the user is allowed to

 

 

use the application. The TGT and the session key from the message are

 

 

stashed in the user’s credential cache.

This protocol exchange has three important features namely:

the authentication scheme does not require that the password be sent across the network, either in encrypted form or in clear text

tickets are not returned unless the principal name and password are correct

the client, or anyone else cannot look at or modify the contents of the

TGT

 

 

At the end of this initial exchange with the AS, the user’s credential

 

 

cache holds the user principal’s TGT and the associated session key.

 

 

These are used to obtain tickets for each network service the principal

 

 

wants to access.

 

 

To obtain access to a secured network service, the requesting client

 

 

application uses the previously obtained TGT in a dialog with the Server.

 

 

The protocol is the same as used while obtaining the TGT, except the

 

 

messages contain the name of the server, the message type and an

 

 

encrypted copy of the previously obtained TGT.

Step

5. The user runs a secured application, such as rlogin, rsh, rcp, ftp or telnet

Step

6.

The secured application checks for the required service ticket in the

 

 

user’s credential cache. If it is there, skip to Step 10.

 

 

If the user does not have the required service ticket, the secured

 

 

application reads the user principal’s TGT and session key from the

 

 

user’s private credentials cache

Step

7.

The secured applications sends its request for a specific service ticket to

 

 

the ticket-granting-service (TGS), along with the user principal’s TGT

 

 

and an authenticator. An authenticator is known data, such as

 

 

timestamp and user name, encrypted with the session key

Chapter 1

29

Page 29
Image 29
HP UX Kerberos Data Security Software manual Tgt