Upload
chalondra-naiser
View
30
Download
0
Embed Size (px)
DESCRIPTION
Kerberos Authentication. Kerberos. Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed Mutual Authentication Credentials allow impersonation. Authorization. How does the authentication mechanism fit in authorization topology - PowerPoint PPT Presentation
Citation preview
Kerberos Authentication
Kerberos
• Requires shared secret with KDC ( perhaps not for PKINIT)
• Shared session key established• Time synchronization needed• Mutual Authentication• Credentials allow impersonation
Authorization
• How does the authentication mechanism fit in authorization topology
• Authorization based on authenticated identity (mapping may be needed)
• Authorization within authentication messages (Kerberos auth data)
• What are authorization messages bound to?
Kerberos with Pull Model 1User Org
KDC
User
User Org AAA Server
Application
TGT AST
AST, Auth
ID AM
OK
Secure Channel
KDC: Kerberos Key Distribution CenterTGT: Ticket Granting TicketAST: Application Service TicketID: Authenticate IdentityAM: Message Authorizing Application by User Org
Kerberos with Pull Model 2User Org
KDC
User
User Org Authorization
Server
Application
TGT AST
AST,(TGTkey), TGTASTAuth
UOSTUOSTAuth
AM
OK
KDC: Kerberos Key Distribution CenterTGT: Ticket Granting TicketTGTKey: TGT key enc. w AST session key (KRB_CRED)UOST: User Org Authorization Server Service Ticket AST: Application Service TicketAM: Message Authorizing Application by User Org
UOST
Kerberos with Pull Model 3User Org
KDC
User
User Org Authorization
Server
Application
TGT UOST
UOST, Auth
UOSTAuth
AM
OK
KDC: Kerberos Key Distribution CenterTGT: Ticket Granting TicketUOST: User Org Authorization Server Service Ticket Auth: Authenticator encrypted with session keyAM: Message Authorizing Application by User Org
Secure Channel
Push ExampleUser Org
KDC
User
User OrgAuthorization
Server
Application
TGT UOST
CERT
OK
UOST
CERT
KDC: Kerberos Key Distribution CenterTGT: Ticket Granting TicketUOST: User Org Authorization Server Service Ticket CERT: Authorization For User Signed By User Org / Bind to User principal
or ????
AST
AST
Inter-Domain Pull
User OrgKDC
User
User Org Authorization
Server
Application
TGT’
Application OrgKDC’
AST
OK
TGT’
AST
ID AM
TR
KDC: User Org Kerberos Key Distribution CenterKDC’: Application Org Kerberos Key Distribution CenterTGT’: Application Org Ticket Granting TicketAST: Application Service TicketID: Authenticate IdentityAM: Message Authorizing Application by User OrgTR: Trust Relationship
TGT
Kerberos Inter-Realm
User OrgKDC
User Application
TGT’
Application OrgKDC’
AST
OK
TGT’
AST
TR
TGT