Slide 5 of 14
Notes:
Slide Notes and Questions:
- Need to use kerberos forwardable tickets in this situation. This allows the Application to request service tickets from the KDC on behalf
2. Requires the Application to have a relationship with the KDC and User Org.
3. What set of information does the authorization message (AM) contain?
4. What exactly is implied by “secure channel”?
- Are there any security issues?
6. The reason why a secure channel is needed between the Application and the User Org authorization server is
because the AM message is not protected. The secure channel could be removed if AM is sent as a certificate signed
with some shared secret between the Application and the User Org authorization server.
Tcs => Application, User, IP addr of User, ts, lifetime, Kcs
Ks => Application’s shared key with the KDC
Ac => name of User, IP addr of User, ts (New Ac must be generated per service request)
Kcs => Session key for User and Application
Tcs => User Org AAA server, User, IP addr of User, IP addr of Application, ts, lifetime, Kcs
Ks => User Org AAA server’s shared key with the KDC
* Is the Application name or ID used instead of the User’s since the Application is acting on behalf of the user?
Ac => name of User, IP addr of User or Application, ts (New Ac must be generated per service request)
Kcs => Session key for User and User Org AAA server
* The IP addr of the Application may be used because the authenticator is created by the Application.
