logo_kerberos.gif

Difference between revisions of "User:TomYu/KDC processing"

From K5Wiki
Jump to: navigation, search
(New page: * Authenticate request content ** PKINIT (AS) ** PA-TGS-REQ (TGS) ** FAST (AS or TGS) * Authenticate client ** PA-ENC-TS (weak; AS) ** PKINIT (AS) ** SAM2 (AS) ** PA-ENCRYPTED-CHALLENGE (A...)
 
 
Line 1: Line 1:
* Authenticate request content
 
  +
* Client referrals?
** PKINIT (AS)
 
  +
* Authenticate request content -- sometimes authenticates the client principal too
** PA-TGS-REQ (TGS)
 
  +
** PKINIT (AS, also authenticates client)
 
** PA-TGS-REQ (TGS, also authenticates client)
 
** FAST (AS or TGS)
 
** FAST (AS or TGS)
* Authenticate client
+
* Authenticate client -- sometimes authenticates the request content too
 
** PA-ENC-TS (weak; AS)
 
** PA-ENC-TS (weak; AS)
** PKINIT (AS)
+
** PKINIT (AS, also authenticates request content)
 
** SAM2 (AS)
 
** SAM2 (AS)
 
** PA-ENCRYPTED-CHALLENGE (AS)
 
** PA-ENCRYPTED-CHALLENGE (AS)
** PA-TGS-REQ (TGS)
+
** PA-TGS-REQ (TGS, also authenticates request content)
 
** S4U2Self (TGS)
 
** S4U2Self (TGS)
 
** S4U2Proxy (TGS)
 
** S4U2Proxy (TGS)
Line 15: Line 16:
 
** Cross-realm service principal referral
 
** Cross-realm service principal referral
 
** Cross-realm TGS referral
 
** Cross-realm TGS referral
** User-to-user
+
** User-to-user (from second ticket)
  +
* Validate protocol constraints
  +
* Validate policies
 
* Issue ticket
 
* Issue ticket
 
* Encrypt reply
 
* Encrypt reply

Latest revision as of 16:34, 25 June 2013

  • Client referrals?
  • Authenticate request content -- sometimes authenticates the client principal too
    • PKINIT (AS, also authenticates client)
    • PA-TGS-REQ (TGS, also authenticates client)
    • FAST (AS or TGS)
  • Authenticate client -- sometimes authenticates the request content too
    • PA-ENC-TS (weak; AS)
    • PKINIT (AS, also authenticates request content)
    • SAM2 (AS)
    • PA-ENCRYPTED-CHALLENGE (AS)
    • PA-TGS-REQ (TGS, also authenticates request content)
    • S4U2Self (TGS)
    • S4U2Proxy (TGS)
  • Determine service principal
    • Hostname alias
    • Cross-realm service principal referral
    • Cross-realm TGS referral
    • User-to-user (from second ticket)
  • Validate protocol constraints
  • Validate policies
  • Issue ticket
  • Encrypt reply
    • FAST (AS or TGS)
    • Long-term key (AS)
    • Session key (TGS)