1 / 6

Kerberos

Kerberos. Kerberos Ticket. Login with Kerberos.

erek
Télécharger la présentation

Kerberos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kerberos Kerberos Ticket

  2. Login with Kerberos • The first time a user requests a Kerberos ticket is when that user logs in to some account in a Windows 2003 domain. From the point of view of the user, the process is simple: type a login name, a domain name, and a password into some client machine, then wait for the login to succeed or fail. What's actually going on is not quite so simple. • The user's login request causes the client system to send a message to a KDC running on a domain controller. The message contains several things, including the user's name; preauthentication data, which consists of a timestamp encrypted using KC, a hash of the user's password, as a key; and a request for a ticket-granting ticket (TGT).

  3. Logging In • KDC: Key DIstribution Center (Domain Controller CA (certificate authority) ) • KX: The secret key (that is, the hashed password) of X, where X is a client ( C ) user, a server ( S ) application, or the KDC ( K ). • ·{anything}KX: Anything encrypted with X's secret key. • ·{T}KS: A ticket encrypted with server S's secret key. In other words, this is a ticket for server S (the notation is a bit imprecise, since the entire ticket isn't encrypted). • ·KX,Y: A session key used between X and Y. • ·{anything}KX,Y: Anything encrypted with the session key used between X and Y. • TGT: Ticket Granting Ticket X S

  4. Figure 4 Getting and Using a Service Ticket Authenticating to a Remote Service • When the client application makes its first remote request to the server, a ticket request is automatically made to the KDC, as shown in Figure 4. • When the KDC receives this request, it decrypts the TGT (recall that only the KDC knows KK, (the key used to encrypt this ticket), then extracts the session key KC,K from the ticket. • It then uses this session key to decrypt the authenticator. • . The authenticator serves two purposes. First, because it is encrypted using the client/Kerberos session key, it proves that the user is who she claims to be, since as described earlier, the only way to get this session key is to type the correct password at login. • If the KDC's attempted decryption of the authenticator is successful, the client system must be in possession of the session key

  5. Inter Domain Authenticating Fjgure 6 Authenticating Across Domains

More Related