HP UX Kerberos Data Security Software manual 30

Overview

Authentication Process

Step 8. The TGS decrypts the authenticator to check the user’s identity and verifies that the user’s TGT and credentials have not expired. The TGS reads the secured application’s service principal key from the principal database, then builds and sends a reply back to the secured client application.

The reply contains two different packets:

•The packet intended for the service principal contains a service ticket, a new session key, an authenticator and other information, all encrypted in the service principal’s key.

•The packet intended for the client contains the same session key and other information.

Both packets are encrypted in a session key received by the client with the TGT

Step 9. The secured application uses the session key received with the TGT to decrypt the reply. It stores the service ticket packet and the new session key in the user’s credentials cache. The client does not attempt to decrypt the service ticket portion of the reply. It cannot as it does not have the service principal’s key that was used to encrypt it.

Step 10. The secured application sends the service ticket packet to the secured service, requesting a connection. The secured service decrypts the packet using its key stored in a service key table file (default key table file name is v5srvtab).

If the service can decrypt the packet, it uses the session key included in the packet to decrypt the authenticator, which contains the user principal’s name and a timestamp. The service checks that the timestamp is within a five minute window centered around the service’s clock. This limits an attackers ability to replay a ticket at a time outside the clock skew.

From the principal name contained in the authenticator, the service knows that the user has been authenticated and is who the user claims to be. The service then performs authorization checks for the principal name. If the checks are successful, a connection is established.

Step 11. The secured application may require the secured service to authenticate itself, mutual authentication.