1 / 9

Preauth Framework and Common Extensions

Preauth Framework and Common Extensions. Larry Zhu (Microsoft) Sam Hartman (MIT) IETF67. Information Model for Preauth. The reply key used to encrypt the KDC reply The strength of client authentication Whether the reply key has been used Whether the reply key has been replaced

ivi
Download Presentation

Preauth Framework and Common Extensions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preauth Framework and Common Extensions Larry Zhu (Microsoft) Sam Hartman (MIT) IETF67

  2. Information Model for Preauth • The reply key used to encrypt the KDC reply • The strength of client authentication • Whether the reply key has been used • Whether the reply key has been replaced • Whether the contents of the KDC reply can be verified by the client principal • Whether the contents of the KDC reply can be verified by the client machine

  3. Preauth Facilities • Client-authentication • Strengthening reply key • Replacing reply key • KDC-authentication

  4. Common Extensions • Combining keys • KDC state management • Pre-Authentication set • Kerb FAST • Authentication strength indication

  5. Combining Keys • KRB-FX-CF1() • KRB-FX-CF2()

  6. KDC state management • cookie, it is specific to a KDC • Distributed cookie for replicated KDCs

  7. Preauth set • PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM • PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { pa-type [1] Int32, -- same as padata-type. pa-hint [2] OCTET STRING, -- hint data. ... }

  8. KERB FAST • KrbFastReq ::= SEQUENCE { fast-options [0] FastOptions, padata [1] SEQUENCE OF PA-DATA, timestamp [2] KerberosTime, usec [3] Microseconds, req-nonce [4] OCTET STRING, ... }

  9. KERB-FAST continued KrbFastResponse ::= SEQUENCE { padata [1] SEQUENCE OF PA-DATA, finish [2] KrbFastFinish OPTIONAL, rep-nonce [3] OCTET STRING, ... }

More Related