KERBEROS AUTHENTICATION STEPS

Question

本帖最后由 ancharn 于 2011-05-25 17:04 编辑

KERBEROS AUTHENTICATION STEPS
# Mailto: manualpage at gmail.com

STEP 1: INITIAL Kerberos AUTHENTICATION
1. User enters username & kerberos_password to login program.
2. Login program converts the username to a principal name, then send login
   request(ask for TGT) for that principal to the KDC's "authentication service".
        # Ticket Grant Ticket, or TGT for short.
        ---pre-auth---
        a. Login program send UserInputPwd(time) to KDC
        b. KDC UserRealPwd(UserInputPwd(time))
        c. time = time?
        Note: so, the time sync is very important, use NTP to keep time sync.
3. KDC sends the login program a TGT encrypted using the user's real password.
        ---Process---
        a. KDC generates a secret session key(TGT), KDC keeps one copy.
        b. TGT was encrypted using the password that belongs to the user's principal
             as the encryption key.
        c. KDC send the UserRealPwd(TGT) copy back to login program.
4. If the login program can decrypt the TGT with the password provided by the user
   entered as the decryption key, the user is authenticated.
        # Login program decode it: UserInputPwd(UserRealPwd(TGT)) = TGT
5. User got the TGT for later use.

STEP 2: TICKET AUTHENTICATION
1. Client sends request for service ticket to KDC's "ticket granting service".
2. KDC generates another secret session key that will be used as the service ticket,
   and sends client two identical copies.
        a. One encrypted with the user's current TGT:
                TGT(service_ticket)
        b. One encrypted with the password of the network service's principal:
                SrvPwd(service_ticket)
3. Client User decrypt the first copy(TGT(service ticket)) using its current TGT,
   then user got the ticket, "service_ticket".
        # Decrypt it: TGT(TGT(service_ticket)) = service_ticket.
4. Client create authenticator by encrypting a current timestamp with the decrypted
   service ticket.
        # authenticator = service_ticket(timestamp)
5. Client sends the second copy SrvPwd(service_ticket) and the authenticator to the
   network service host who privide the servie.
        # Note: SrvPwd(service_ticket) is still encrypted with the network service's
        password.
6. The network service uses the password stored in its keytab file to decrypt the
   second copy of the ticket, and network servie got the "service_ticket"
        # Decrypt: SrvPwd(SrvPwd(service_ticket)) = service_ticket
7. The network service uses the decrypted "service_ticket" to decrypt the
   authenticator: service_ticket(service_ticket(timestamp)).
                               
# NOTE:
  Since only the service and the KDC know the password, if network service can
  decrypt the SrvPwd(service_ticket) and got the "service_ticket", the service
  knows the "service_ticket" came from the KDC.
  If the network service can decrypt the authenticator using the decrypted
  "service_ticket", then the network service knows the user's client decrypted its
  "service_ticket", and thereforce knows its own password on the same KDC.
  So, the "service_ticket" which user got = the "service_ticket" which network
  service decrypted, the user can use this service.
  So, "service_ticket"=secret key=symetric key, for user and service use, and
  TGT=secret key=symetric key, for user and KDC use.
#
# KERBEROS AUTHENTICATION STEPS

Reference resource:
Designing an Authentication System:
a Dialogue in Four Scenes
http://www.mit.edu/~kerberos/dialogue.html