1 / 14

Authentication and Authorization Processes in Kerberos System

Understand the inter and intra-realm authentication and authorization flows in the Kerberos system. Learn about the key distribution and secure channel setups involved.

hendrix
Download Presentation

Authentication and Authorization Processes in Kerberos System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Figure 1a - Inter-Domain Pull Sequence User Org Performs Authentication and Authorization User Org KDC User Org AAA Server TGT UOST, Auth UOST AM Secure Channel Application User UOST, Skey OK Encrypted Secure Channel KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Skey: Session key associated with UOST Auth: Authenticator created by Application and encrypted with Skey AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, Skey, secure channel session between User and Application (would need to pass the session key or identifier to the AAA server)

  2. Figure 1b - Inter-Domain Pull Sequence User Org Performs Authentication and Authorization User Org KDC User Org AAA Server TGT UOST, Auth UOST AM Secure Channel Application User UOST, Auth OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent in AM), secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

  3. Figure 1c - Intra-Realm Pull Sequence Application Performs Authentication User Org Performs Authorization User Org KDC User Org Authorization Server ID AM TGT AST Secure Channel Application User AST, Auth OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket AST: Application Service Ticket Auth: Authenticator created by User and encrypted with AST session key ID: Authenticate Identity AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, session key associated with AST, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

  4. Figure 1d - Intra-Realm Pull Sequence Application Performs Authentication User Org Performs Authentication and Authorization User Org KDC User Org AAA Server TGT UOST, UAuth UOST, AST AM Secure Channel Application User UOST, AST, Skey, AAuth OK Encrypted Secure Channel KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket AST: Application Service Ticket Skey: Session key associated with UOST AAuth: Authenticator created by User and encrypted with AST session key UAuth: Authenticator created by Application and encrypted with Skey AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

  5. Figure 1e - Intra-Realm Pull Sequence Application Performs Authentication User Org Performs Authentication and Authorization User Org KDC User Org AAA Server UOST TGT AST UOST, UAuth AM SecureChannel TGT Application User AST, TGT, TGTKey, AAuth OK Encrypted Secure Channel KDC: Kerberos Key Distribution Center TGT: Forwardable Ticket Granting Ticket TGTkey: Session key shared between the User and the KDC UOST: User Org AAA Server Service Ticket AST: Application Service Ticket AAuth: Authenticator created by User and encrypted with AST session key UAuth: Authenticator created by Application and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

  6. Figure 2 - Inter-Realm Pull Sequence Application Performs Authentication User Org Performs Authorization Application Org KDC’ TR User Org KDC TGT’ User Org Authorization Server AST TGT’ ID AM Secure Channel User Application AST, Auth OK KDC: User Org Kerberos Key Distribution Center KDC’: Application Org Kerberos Key Distribution Center TGT’: Application Org Ticket Granting Ticket AST: Application Service Ticket Auth: Authenticator created by User and encrypted with AST session key ID: Authenticate Identity AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) TR: Trust Relationship

  7. Figure 3 - Inter-Domain Pull Sequence User Org Performs Authentication and Authorization Trusted Broker Relays Authorization User Org AAA Server User Org KDC UOST, Auth Secure Channel 1 AM Broker TGT UOST AM’ UOST, Auth Secure Channel 2 User UOST, Auth Application OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) AM’: Message signed/changed by trusted Broker to relay authorization to Application

  8. Figure 4 - Inter-Domain Push Sequence User Org Performs Authentication and Authorization User Org KDC User Org AAA Server UOST, Auth TGT UOST CERT Application User CERT OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key CERT: Certificate authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent in the cert), secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

  9. Figure 4a - Intra-Realm Push Sequence Application Performs Authentication User Org Performs Authentication and Authorization User Org KDC User Org AAA Server UOST, UAuth TGT UOST, AST CERT Application User CERT, AST, AAuth OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket UAuth: Authenticator created by User and encrypted with UOST session key AST: Application Service Ticket AAuth: Authenticator created by User and encrypted with AST session key CERT: Certificate authorizing User to Application / Can be bound to: User name or ID, User IP address, secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

  10. Figure 5 - Inter-Domain Push Sequence User Org Performs Authentication and Authorization Trusted Broker Signs Authorization User Org AAA Server User Org KDC Secure Channel AM CERT UOST, Auth Broker TGT UOST CERT User Application CERT OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) CERT: Created from AM and signed by trusted Broker

  11. Figure 5a - Inter-Domain Push Sequence User Org Performs Authentication and Authorization Trusted Broker Signs Authorization User Org AAA Server User Org KDC UOST (Binding), Auth Secure Channel CERT (Binding) AM (Binding) Broker TGT UOST CERT (Binding) User Application CERT (Binding) OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) CERT: Created from AM and signed by trusted Broker Binding: User IP addr, or User name, or User/Application secure session ID, etc …

  12. Figure 6 - Inter-Domain Push Sequence User Org Performs Authentication and Authorization Trusted Broker Relays Authorization User Org AAA Server User Org KDC UOST, Auth Broker TGT UOST CERT Secure Channel CERT AM User Application CERT OK KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key CERT: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) AM: Created from CERT for trusted authorization from Broker

  13. Figure 7 - Inter-Domain Agent Sequence User Org Performs Authentication and Authorization User Org KDC User Org AAA Server UOST, Auth TGT UOST AM OK Secure Channel OK Application User KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent in AM), secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server)

  14. Figure 8 - Inter-Domain Agent Sequence User Org Performs Authentication and Authorization Trusted Broker Relays Authorization User Org AAA Server User Org KDC AM Secure Channel 1 OK UOST, Auth Broker OK TGT UOST AM’ OK Secure Channel 2 User Application KDC: Kerberos Key Distribution Center TGT: Ticket Granting Ticket UOST: User Org AAA Server Service Ticket Auth: Authenticator created by User and encrypted with UOST session key AM: Message authorizing User to Application / Can be bound to: User name or ID, User IP address (these could be sent through AM) , secure channel session between User and Application (if created - would need to pass the session key or identifier to the AAA server) AM’: Message signed/changed by trusted Broker to relay authorization to Application

More Related