|
KERBEROS AUTHENTICATION STEPS
# Mailto: manualpage at gmail.com
STEP 1: INITIAL Kerberos AUTHENTICATION
1. User enters username & kerberos_password to login program.
2. Login program converts the username to a principal name, then send login
request(ask for TGT) for that principal to the KDC's "authentication service".
# Ticket Grant Ticket, or TGT for short.
---pre-auth---
a. Login program send UserInputPwd(time) to KDC
b. KDC UserRealPwd(UserInputPwd(time))
c. time = time?
Note: so, the time sync is very important, use NTP to keep time sync.
3. KDC sends the login program a TGT encrypted using the user's real password.
---Process---
a. KDC generates a secret session key(TGT), KDC keeps one copy.
b. TGT was encrypted using the password that belongs to the user's principal
as the encryption key.
c. KDC send the UserRealPwd(TGT) copy back to login program.
4. If the login program can decrypt the TGT with the password provided by the user
entered as the decryption key, the user is authenticated.
# Login program decode it: UserInputPwd(UserRealPwd(TGT)) = TGT
5. User got the TGT for later use.
STEP 2: TICKET AUTHENTICATION
1. Client sends request for service ticket to KDC's "ticket granting service".
2. KDC generates another secret session key that will be used as the service ticket,
and sends client two identical copies.
a. One encrypted with the user's current TGT:
TGT(service_ticket)
b. One encrypted with the password of the network service's principal:
SrvPwd(service_ticket)
3. Client User decrypt the first copy(TGT(service ticket)) using its current TGT,
then user got the ticket, "service_ticket".
# Decrypt it: TGT(TGT(service_ticket)) = service_ticket.
4. Client create authenticator by encrypting a current timestamp with the decrypted
service ticket.
# authenticator = service_ticket(timestamp)
5. Client sends the second copy SrvPwd(service_ticket) and the authenticator to the
network service host who privide the servie.
# Note: SrvPwd(service_ticket) is still encrypted with the network service's
password.
6. The network service uses the password stored in its keytab file to decrypt the
second copy of the ticket, and network servie got the "service_ticket"
# Decrypt: SrvPwd(SrvPwd(service_ticket)) = service_ticket
7. The network service uses the decrypted "service_ticket" to decrypt the
authenticator: service_ticket(service_ticket(timestamp)).
# NOTE:
Since only the service and the KDC know the password, if network service can
decrypt the SrvPwd(service_ticket) and got the "service_ticket", the service
knows the "service_ticket" came from the KDC.
If the network service can decrypt the authenticator using the decrypted
"service_ticket", then the network service knows the user's client decrypted its
"service_ticket", and thereforce knows its own password on the same KDC.
So, the "service_ticket" which user got = the "service_ticket" which network
service decrypted, the user can use this service.
So, "service_ticket"=secret key=symetric key, for user and service use, and
TGT=secret key=symetric key, for user and KDC use.
#
# KERBEROS AUTHENTICATION STEPS
Reference resource:
Designing an Authentication System:
a Dialogue in Four Scenes
http://www.mit.edu/~kerberos/dialogue.html |
|