PPT Slide
AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, Skey, secure channel
session between User and Application (would need to pass the session key or identifier to the AAA server)
Notes:
Slide Notes and Questions:
- Need to use kerberos proxy tickets in this situation. This allows multiple IP addr, such as the Application’s IP addr,
to be specified as valid presenters in the ticket.
- What set of information does the User Org authorization message (AM) contain?
3. What exactly is implied by “secure channel”?
- Are there any security issues?
5. The reason why a secure channel is needed between the Application and the User Org authorization server is
because the AM message is not protected. The secure channel could be removed if AM is sent as a certificate
signed with some shared secret between the Application and the User Org authorization server. An encrypted,
secure channel is needed between the User and the Application because the SKey cannot be sent in the clear.
Tcs => User Org AAA server, User, IP addr of User, IP addr of Application, ts, lifetime, Kcs
Ks => User Org AAA server’s shared key with the KDC
Ac => name of User, IP addr of User or Application, ts (New Ac must be generated per service request)
Kcs => Session key for User and User Org AAA server
* The IP addr of the Application may be used because the authenticator is created by the Application.