Difference between revisions of "User:TomYu/KDC processing"

Latest revision as of 16:34, 25 June 2013

Client referrals?
Authenticate request content -- sometimes authenticates the client principal too
- PKINIT (AS, also authenticates client)
- PA-TGS-REQ (TGS, also authenticates client)
- FAST (AS or TGS)
Authenticate client -- sometimes authenticates the request content too
- PA-ENC-TS (weak; AS)
- PKINIT (AS, also authenticates request content)
- SAM2 (AS)
- PA-ENCRYPTED-CHALLENGE (AS)
- PA-TGS-REQ (TGS, also authenticates request content)
- S4U2Self (TGS)
- S4U2Proxy (TGS)
Determine service principal
- Hostname alias
- Cross-realm service principal referral
- Cross-realm TGS referral
- User-to-user (from second ticket)
Validate protocol constraints
Validate policies
Issue ticket
Encrypt reply
- FAST (AS or TGS)
- Long-term key (AS)
- Session key (TGS)

@@ Line 1: / Line 1: @@
-* Authenticate request content
+* Client referrals?
-** PKINIT (AS)
+* Authenticate request content -- sometimes authenticates the client principal too
-** PA-TGS-REQ (TGS)
+** PKINIT (AS, also authenticates client)
+** PA-TGS-REQ (TGS, also authenticates client)
 ** FAST (AS or TGS)
-* Authenticate client
+* Authenticate client -- sometimes authenticates the request content too
 ** PA-ENC-TS (weak; AS)
-** PKINIT (AS)
+** PKINIT (AS, also authenticates request content)
 ** SAM2 (AS)
 ** PA-ENCRYPTED-CHALLENGE (AS)
-** PA-TGS-REQ (TGS)
+** PA-TGS-REQ (TGS, also authenticates request content)
 ** S4U2Self (TGS)
 ** S4U2Proxy (TGS)
@@ Line 15: / Line 16: @@
 ** Cross-realm service principal referral
 ** Cross-realm TGS referral
-** User-to-user
+** User-to-user (from second ticket)
+* Validate protocol constraints
+* Validate policies
 * Issue ticket
 * Encrypt reply