|
| Overview |
|
| Authentication Process |
Step | 3. | If the AS can decrypt the message successfully, it knows that the |
|
| requesting user is who they claim to be, and issues a TGT. The TGT |
|
| contains the name of the user, a session key to be used by the user and |
|
| the Server for any subsequent communication. The reply message is |
|
| encrypted using the user’s secret key. |
Step | 4. | The KDC decrypts the message using the user’s secret key. If the |
|
| application can successfully decrypt the message, the user is allowed to |
|
| use the application. The TGT and the session key from the message are |
|
| stashed in the user’s credential cache. |
This protocol exchange has three important features namely:
•the authentication scheme does not require that the password be sent across the network, either in encrypted form or in clear text
•tickets are not returned unless the principal name and password are correct
•the client, or anyone else cannot look at or modify the contents of the
TGT
|
| At the end of this initial exchange with the AS, the user’s credential |
|
| cache holds the user principal’s TGT and the associated session key. |
|
| These are used to obtain tickets for each network service the principal |
|
| wants to access. |
|
| To obtain access to a secured network service, the requesting client |
|
| application uses the previously obtained TGT in a dialog with the Server. |
|
| The protocol is the same as used while obtaining the TGT, except the |
|
| messages contain the name of the server, the message type and an |
|
| encrypted copy of the previously obtained TGT. |
Step | 5. The user runs a secured application, such as rlogin, rsh, rcp, ftp or telnet | |
Step | 6. | The secured application checks for the required service ticket in the |
|
| user’s credential cache. If it is there, skip to Step 10. |
|
| If the user does not have the required service ticket, the secured |
|
| application reads the user principal’s TGT and session key from the |
|
| user’s private credentials cache |
Step | 7. | The secured applications sends its request for a specific service ticket to |
|
| the |
|
| and an authenticator. An authenticator is known data, such as |
|
| timestamp and user name, encrypted with the session key |
Chapter 1 | 29 |