PPT Slide

User Org

KDC

User

User Org

AAA Server

Application

TGT

UOST,

AST

CERT, AST, AAuth

OK

CERT

Figure 4a - Intra-Realm Push Sequence

Application Performs Authentication

User Org Performs Authentication and Authorization

KDC: Kerberos Key Distribution Center

TGT: Ticket Granting Ticket

UOST: User Org AAA Server Service Ticket

UAuth: Authenticator created by User and encrypted with UOST session key

AST: Application Service Ticket

AAuth: Authenticator created by User and encrypted with AST session key

CERT: Certificate authorizing User to Application / Can be bound to:

User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

UOST,

UAuth

Previous slide

Next slide

Back to first slide

View graphic version

Slide Notes and Questions:

• Requires the Application to have a relationship with the KDC and User Org.

• What set of information does the User Org authorization certificate (CERT) contain? Is it signed with the

Application’s public key or with a shared secret between the User Org AAA server and the Application?

3. Are there any security issues?

4. AST => {Tcs}Ks

Tcs => Application, User, IP addr of User, ts, lifetime, Kcs

Ks => Application’s shared key with the KDC

AAuth => {Ac}Kcs

Ac => name of User, IP addr of User, ts (New Ac must be generated per service request)

Kcs => Session key for User and Application

UOST => {Tcs}Ks

Tcs => User Org AAA server, User, IP addr of User, ts, lifetime, Kcs

Ks => User Org AAA server’s shared key with the KDC

UAuth => {Ac}Kcs

Ac => name of User, IP addr of User, ts (New Ac must be generated per service request)

Kcs => Session key for User and User Org AAA server