PPT Slide

User Org

KDC

User

User Org

AAA Server

Application

TGT

UOST

CERT

OK

UOST,

Auth

CERT

Figure 4 - Inter-Domain Push Sequence

User Org Performs Authentication and Authorization

KDC: Kerberos Key Distribution Center

TGT: Ticket Granting Ticket

UOST: User Org AAA Server Service Ticket

Auth: Authenticator created by User and encrypted with UOST session key

CERT: Certificate authorizing User to Application / Can be bound to:

User name or ID, User IP address (these could be sent in the cert), secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

Previous slide

Next slide

Back to first slide

View graphic version

Slide Notes and Questions:

• What set of information does the User Org authorization certificate (CERT) contain? Is it signed with the

Application’s public key or with a shared secret between the User Org AAA server and the Application?

• Are there any security issues?

3. UOST => {Tcs}Ks

Tcs => User Org AAA server, User, IP addr of User, ts, lifetime, Kcs

Ks => User Org AAA server’s shared key with the KDC

Auth => {Ac}Kcs

Ac => name of User, IP addr of User, ts (New Ac must be generated per service request)

Kcs => Session key for User and User Org AAA server