Title: Kerberos Authentication
1Kerberos Authentication
2Kerberos
- Requires shared secret with KDC ( perhaps not for
PKINIT) - Shared session key established
- Time synchronization needed
- Mutual Authentication
- Credentials allow impersonation
3Authorization
- How does the authentication mechanism fit in
authorization topology - Authorization based on authenticated identity
(mapping may be needed) - Authorization within authentication messages
(Kerberos auth data) - What are authorization messages bound to?
4Kerberos with Pull Model 1
User Org KDC
User Org AAA Server
TGT
AST
ID
AM
Secure Channel
Application
User
AST, Auth
OK
KDC Kerberos Key Distribution Center TGT Ticket
Granting Ticket AST Application Service
Ticket ID Authenticate Identity AM Message
Authorizing Application by User Org
5Kerberos with Pull Model 2
User Org KDC
User Org Authorization Server
UOST UOSTAuth
UOST
TGT
AST
AM
AST,(TGTkey), TGT ASTAuth
Application
User
OK
KDC Kerberos Key Distribution Center TGT Ticket
Granting Ticket TGTKey TGT key enc. w AST
session key (KRB_CRED) UOST User Org
Authorization Server Service Ticket
AST Application Service Ticket AM Message
Authorizing Application by User Org
6Kerberos with Pull Model 3
User Org KDC
User Org Authorization Server
UOST Auth
TGT
UOST
AM
Application
User
UOST, Auth
OK
Secure Channel
KDC Kerberos Key Distribution Center TGT Ticket
Granting Ticket UOST User Org Authorization
Server Service Ticket Auth Authenticator
encrypted with session key AM Message
Authorizing Application by User Org
7Push Example
User Org KDC
User Org Authorization Server
UOST
TGT
UOST
CERT
AST
Application
User
CERT
AST
OK
KDC Kerberos Key Distribution Center TGT Ticket
Granting Ticket UOST User Org Authorization
Server Service Ticket CERT Authorization For
User Signed By User Org / Bind to User principal
or ????
8Inter-Domain Pull
Application Org KDC
TR
User Org KDC
TGT
User Org Authorization Server
AST
TGT
TGT
ID
AM
User
Application
AST
OK
KDC User Org Kerberos Key Distribution
Center KDC Application Org Kerberos Key
Distribution Center TGT Application Org Ticket
Granting Ticket AST Application Service
Ticket ID Authenticate Identity AM Message
Authorizing Application by User Org TR Trust
Relationship
9Kerberos Inter-Realm
Application Org KDC
TR
User Org KDC
TGT
TGT
AST
TGT
User
Application
AST
OK