Kerberos Authentication - PowerPoint PPT Presentation

1 / 9
About This Presentation
Title:

Kerberos Authentication

Description:

Credentials allow impersonation. Authorization. How does the authentication mechanism fit in authorization topology ... Authorization based on authenticated ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 10
Provided by: Joe4127
Category:

less

Transcript and Presenter's Notes

Title: Kerberos Authentication


1
Kerberos Authentication
2
Kerberos
  • Requires shared secret with KDC ( perhaps not for
    PKINIT)
  • Shared session key established
  • Time synchronization needed
  • Mutual Authentication
  • Credentials allow impersonation

3
Authorization
  • How does the authentication mechanism fit in
    authorization topology
  • Authorization based on authenticated identity
    (mapping may be needed)
  • Authorization within authentication messages
    (Kerberos auth data)
  • What are authorization messages bound to?

4
Kerberos with Pull Model 1
User Org KDC
User Org AAA Server
TGT
AST
ID
AM
Secure Channel
Application
User
AST, Auth
OK
KDC Kerberos Key Distribution Center TGT Ticket
Granting Ticket AST Application Service
Ticket ID Authenticate Identity AM Message
Authorizing Application by User Org
5
Kerberos with Pull Model 2
User Org KDC
User Org Authorization Server
UOST UOSTAuth
UOST
TGT
AST
AM
AST,(TGTkey), TGT ASTAuth
Application
User
OK
KDC Kerberos Key Distribution Center TGT Ticket
Granting Ticket TGTKey TGT key enc. w AST
session key (KRB_CRED) UOST User Org
Authorization Server Service Ticket
AST Application Service Ticket AM Message
Authorizing Application by User Org
6
Kerberos with Pull Model 3
User Org KDC
User Org Authorization Server
UOST Auth
TGT
UOST
AM
Application
User
UOST, Auth
OK
Secure Channel
KDC Kerberos Key Distribution Center TGT Ticket
Granting Ticket UOST User Org Authorization
Server Service Ticket Auth Authenticator
encrypted with session key AM Message
Authorizing Application by User Org
7
Push Example
User Org KDC
User Org Authorization Server
UOST
TGT
UOST
CERT
AST
Application
User
CERT
AST
OK
KDC Kerberos Key Distribution Center TGT Ticket
Granting Ticket UOST User Org Authorization
Server Service Ticket CERT Authorization For
User Signed By User Org / Bind to User principal
or ????
8
Inter-Domain Pull
Application Org KDC
TR
User Org KDC
TGT
User Org Authorization Server
AST
TGT
TGT
ID
AM
User
Application
AST
OK
KDC User Org Kerberos Key Distribution
Center KDC Application Org Kerberos Key
Distribution Center TGT Application Org Ticket
Granting Ticket AST Application Service
Ticket ID Authenticate Identity AM Message
Authorizing Application by User Org TR Trust
Relationship
9
Kerberos Inter-Realm
Application Org KDC
TR
User Org KDC
TGT
TGT
AST
TGT
User
Application
AST
OK
Write a Comment
User Comments (0)
About PowerShow.com