90 likes | 245 Views
Kerberos Authentication. Kerberos. Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed Mutual Authentication Credentials allow impersonation. Authorization. How does the authentication mechanism fit in authorization topology
E N D
Kerberos • Requires shared secret with KDC ( perhaps not for PKINIT) • Shared session key established • Time synchronization needed • Mutual Authentication • Credentials allow impersonation
Authorization • How does the authentication mechanism fit in authorization topology • Authorization based on authenticated identity (mapping may be needed) • Authorization within authentication messages (Kerberos auth data) • What are authorization messages bound to?
Kerberos with Pull Model 1 User Org KDC User Org AAA Server TGT AST ID AM Secure Channel Application User AST, Auth OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket AST: Application Service Ticket ID: Authenticate Identity AM: Message Authorizing Application by User Org
Kerberos with Pull Model 2 User Org KDC User Org Authorization Server UOST UOST UOSTAuth TGT AST AM AST,(TGTkey), TGT ASTAuth Application User OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket TGTKey: TGT key enc. w AST session key (KRB_CRED) UOST: User Org Authorization Server Service Ticket AST: Application Service Ticket AM: Message Authorizing Application by User Org
Kerberos with Pull Model 3 User Org KDC User Org Authorization Server UOST Auth TGT UOST AM Application User UOST, Auth OK Secure Channel KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org Authorization Server Service Ticket Auth: Authenticator encrypted with session key AM: Message Authorizing Application by User Org
Push Example User Org KDC User Org Authorization Server UOST TGT UOST CERT AST Application User CERT AST OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org Authorization Server Service Ticket CERT: Authorization For User Signed By User Org / Bind to User principal or ????
Inter-Domain Pull Application Org KDC’ TR User Org KDC TGT’ User Org Authorization Server AST TGT TGT’ ID AM User AST Application OK KDC: User Org Kerberos Key Distribution Center KDC’: Application Org Kerberos Key Distribution Center TGT’: Application Org Ticket Granting Ticket AST: Application Service Ticket ID: Authenticate Identity AM: Message Authorizing Application by User Org TR: Trust Relationship
Kerberos Inter-Realm Application Org KDC’ TR User Org KDC TGT’ TGT’ AST TGT User AST Application OK