PPT Slide

User Org

KDC

User

User Org

AAA Server

Application

TGT

AST

AST, TGT, TGTKey, AAuth

UOST, UAuth

AM

OK

Figure 1e - Intra-Realm Pull Sequence

Application Performs Authentication

User Org Performs Authentication and Authorization

KDC: Kerberos Key Distribution Center

TGT: Forwardable Ticket Granting Ticket

TGTkey: Session key shared between the User and the KDC

UOST: User Org AAA Server Service Ticket

AST: Application Service Ticket

AAuth: Authenticator created by User and encrypted with AST session key

UAuth: Authenticator created by Application and encrypted with UOST session key

AM: Message authorizing User to Application / Can be bound to:

User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

Secure Channel

TGT

UOST

Encrypted Secure Channel

Previous slide

Next slide

Back to first slide

View graphic version

Slide Notes and Questions:

• Need to use kerberos forwardable tickets in this situation. This allows the Application to request service tickets from the KDC on behalf

of the User.

2. Requires the Application to have a relationship with the KDC and User Org.

3. What set of information does the authorization message (AM) contain?

4. What exactly is implied by “secure channel”?

• Are there any security issues?

6. The reason why a secure channel is needed between the Application and the User Org authorization server is

because the AM message is not protected. The secure channel could be removed if AM is sent as a certificate signed

with some shared secret between the Application and the User Org authorization server.

7. AST => {Tcs}Ks

Tcs => Application, User, IP addr of User, ts, lifetime, Kcs

Ks => Application’s shared key with the KDC

AAuth => {Ac}Kcs

Ac => name of User, IP addr of User, ts (New Ac must be generated per service request)

Kcs => Session key for User and Application

UOST => {Tcs}Ks

Tcs => User Org AAA server, User, IP addr of User, IP addr of Application, ts, lifetime, Kcs

Ks => User Org AAA server’s shared key with the KDC

* Is the Application name or ID used instead of the User’s since the Application is acting on behalf of the user?

UAuth => {Ac}Kcs

Ac => name of User, IP addr of User or Application, ts (New Ac must be generated per service request)

Kcs => Session key for User and User Org AAA server

* The IP addr of the Application may be used because the authenticator is created by the Application.