PPT Slide

User Org

KDC

User

Broker

Application

User Org

AAA Server

TGT

UOST

AM’

UOST, Auth

UOST, Auth

AM

UOST, Auth

OK

Secure Channel 2

Secure Channel 1

Figure 3 - Inter-Domain Pull Sequence

User Org Performs Authentication and Authorization

Trusted Broker Relays Authorization

KDC: Kerberos Key Distribution Center

TGT: Ticket Granting Ticket

UOST: User Org AAA Server Service Ticket

Auth: Authenticator created by User and encrypted with UOST session key

AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

AM’: Message signed/changed by trusted Broker to relay authorization to Application

Previous slide

Next slide

Back to first slide

View graphic version

Slide Notes and Questions:

• Need to use kerberos proxy tickets in this situation. This allows multiple IP addr, such as the Application’s IP addr and the

Broker’s IP addr, to be specified as valid presenters in the ticket.

2. What set of information does the User Org authorization message (AM) contain?

3. What set of information does the Broker authorization message (AM’) contain?

4. What exactly is implied by “secure channel”?

• Are there any security issues?

6. The reason why a secure channel is needed between the User Org and the Broker is because the AM message is

not protected. The secure channel could be removed if AM is sent as a certificate signed with some shared secret

between the User Org and the Broker. The reason why a secure channel is needed between the Application and the

Broker is because the AM’ message is not protected. The secure channel could be removed if AM’ is sent as a

certificate signed with some shared secret between the Application and the Broker.

7. UOST => {Tcs}Ks

Tcs => User Org AAA server, User, IP addr of User, ts, lifetime, Kcs

Ks => User Org AAA server’s shared key with the KDC

Auth => {Ac}Kcs

Ac => name of User, IP addr of User, ts (New Ac must be generated per service request)

Kcs => Session key for User and User Org AAA server