140 likes | 160 Views
Understand the inter and intra-realm authentication and authorization flows in the Kerberos system. Learn about the key distribution and secure channel setups involved.
E N D
Figure 1a - Inter-Domain Pull Sequence User Org Performs Authentication and Authorization User Org KDC User Org AAA Server TGT UOST, Auth UOST AM Secure Channel Application User UOST, Skey OK Encrypted Secure Channel KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Skey: Session key associated with UOST Auth: Authenticator created by Application and encrypted with Skey AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, Skey, secure channel session between User and Application (would need to pass the session key or identifier to the AAA server)
Figure 1b - Inter-Domain Pull Sequence User Org Performs Authentication and Authorization User Org KDC User Org AAA Server TGT UOST, Auth UOST AM Secure Channel Application User UOST, Auth OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent in AM), secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)
Figure 1c - Intra-Realm Pull Sequence Application Performs Authentication User Org Performs Authorization User Org KDC User Org Authorization Server ID AM TGT AST Secure Channel Application User AST, Auth OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket AST: Application Service Ticket Auth: Authenticator created by User and encrypted with AST session key ID: Authenticate Identity AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, session key associated with AST, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)
Figure 1d - Intra-Realm Pull Sequence Application Performs Authentication User Org Performs Authentication and Authorization User Org KDC User Org AAA Server TGT UOST, UAuth UOST, AST AM Secure Channel Application User UOST, AST, Skey, AAuth OK Encrypted Secure Channel KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket AST: Application Service Ticket Skey: Session key associated with UOST AAuth: Authenticator created by User and encrypted with AST session key UAuth: Authenticator created by Application and encrypted with Skey AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)
Figure 1e - Intra-Realm Pull Sequence Application Performs Authentication User Org Performs Authentication and Authorization User Org KDC User Org AAA Server UOST TGT AST UOST, UAuth AM SecureChannel TGT Application User AST, TGT, TGTKey, AAuth OK Encrypted Secure Channel KDC: Kerberos Key Distribution Center TGT: Forwardable Ticket Granting Ticket TGTkey: Session key shared between the User and the KDC UOST: User Org AAA Server Service Ticket AST: Application Service Ticket AAuth: Authenticator created by User and encrypted with AST session key UAuth: Authenticator created by Application and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)
Figure 2 - Inter-Realm Pull Sequence Application Performs Authentication User Org Performs Authorization Application Org KDC’ TR User Org KDC TGT’ User Org Authorization Server AST TGT’ ID AM Secure Channel User Application AST, Auth OK KDC: User Org Kerberos Key Distribution Center KDC’: Application Org Kerberos Key Distribution Center TGT’: Application Org Ticket Granting Ticket AST: Application Service Ticket Auth: Authenticator created by User and encrypted with AST session key ID: Authenticate Identity AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) TR: Trust Relationship
Figure 3 - Inter-Domain Pull Sequence User Org Performs Authentication and Authorization Trusted Broker Relays Authorization User Org AAA Server User Org KDC UOST, Auth Secure Channel 1 AM Broker TGT UOST AM’ UOST, Auth Secure Channel 2 User UOST, Auth Application OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) AM’: Message signed/changed by trusted Broker to relay authorization to Application
Figure 4 - Inter-Domain Push Sequence User Org Performs Authentication and Authorization User Org KDC User Org AAA Server UOST, Auth TGT UOST CERT Application User CERT OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key CERT: Certificate authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent in the cert), secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)
Figure 4a - Intra-Realm Push Sequence Application Performs Authentication User Org Performs Authentication and Authorization User Org KDC User Org AAA Server UOST, UAuth TGT UOST, AST CERT Application User CERT, AST, AAuth OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket UAuth: Authenticator created by User and encrypted with UOST session key AST: Application Service Ticket AAuth: Authenticator created by User and encrypted with AST session key CERT: Certificate authorizing User to Application / Can be bound to: User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)
Figure 5 - Inter-Domain Push Sequence User Org Performs Authentication and Authorization Trusted Broker Signs Authorization User Org AAA Server User Org KDC Secure Channel AM CERT UOST, Auth Broker TGT UOST CERT User Application CERT OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) CERT: Created from AM and signed by trusted Broker
Figure 5a - Inter-Domain Push Sequence User Org Performs Authentication and Authorization Trusted Broker Signs Authorization User Org AAA Server User Org KDC UOST (Binding), Auth Secure Channel CERT (Binding) AM (Binding) Broker TGT UOST CERT (Binding) User Application CERT (Binding) OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) CERT: Created from AM and signed by trusted Broker Binding: User IP addr, or User name, or User/Application secure session ID, etc …
Figure 6 - Inter-Domain Push Sequence User Org Performs Authentication and Authorization Trusted Broker Relays Authorization User Org AAA Server User Org KDC UOST, Auth Broker TGT UOST CERT Secure Channel CERT AM User Application CERT OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key CERT: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) AM: Created from CERT for trusted authorization from Broker
Figure 7 - Inter-Domain Agent Sequence User Org Performs Authentication and Authorization User Org KDC User Org AAA Server UOST, Auth TGT UOST AM OK Secure Channel OK Application User KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent in AM), secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)
Figure 8 - Inter-Domain Agent Sequence User Org Performs Authentication and Authorization Trusted Broker Relays Authorization User Org AAA Server User Org KDC AM Secure Channel 1 OK UOST, Auth Broker OK TGT UOST AM’ OK Secure Channel 2 User Application KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) AM’: Message signed/changed by trusted Broker to relay authorization to Application