PPT Slide

User Org

KDC

User

User Org

Authorization

Server

Application

TGT’

Application Org

KDC’

AST, Auth

OK

TGT’

AST

ID

AM

TR

Secure Channel

KDC: User Org Kerberos Key Distribution Center

KDC’: Application Org Kerberos Key Distribution Center

TGT’: Application Org Ticket Granting Ticket

AST: Application Service Ticket

Auth: Authenticator created by User and encrypted with AST session key

ID: Authenticate Identity

AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

TR: Trust Relationship

Figure 2 - Inter-Realm Pull Sequence

Application Performs Authentication

User Org Performs Authorization

Previous slide

Next slide

Back to first slide

View graphic version

Slide Notes and Questions:

• Requires the Application’s KDC to have a trust relationship with the User Org’s KDC.

2. What set of information does the Application authenticate message (ID) contain?

3. What set of information does the User Org authorization message (AM) contain?

4. What exactly is implied by “secure channel”?

• Are there any security issues?

6. The reason why a secure channel is needed between the Application and the User Org authorization server is

because the AM message is not protected. The secure channel could be removed if AM is sent as a

certificate signed with some shared secret between the Application and the User Org authorization server. Is the

ID message safe if it is sent in a non-secure channel?

7. AST => {Tcs}Ks

Tcs => Application, User, IP addr of User, ts, lifetime, Kcs

Ks => Application’s shared key with the KDC

Auth => {Ac}Kcs

Ac => name of User, IP addr of User, ts (New Ac must be generated per service request)

Kcs => Session key for User and Application