applied cryptography - protocols, algorithms, and source code in c

Applied cryptography protocols algorithms and source code in c

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: nal session key, all encrypted with the session key shared between the client and the server. Unlike a ticket, it can only be used once. However, since the client can generate authenticators as needed (it knows the shared secret key), this is not a problem. The authenticator serves two purposes. First, it contains some plaintext encrypted in the session key. This proves that it also knows the key. Just as important, the sealed plaintext includes the timestamp. An eavesdropper who records both the ticket and the authenticator can’t replay them two days later. Kerberos Version 5 Messages Kerberos Version 5 has five messages (see Figure 24.1): 1. Client to Kerberos: c, tgs 2. Kerberos to client: {Kc, tgs}Kc, {Tc, tgs}Ktgs 3. Client to TGS: 4. TGS to client: 5. Client to server: {Ac, s}Kc, tgs, {Tc, tgs}Ktgs {Kc, s}Kc, tgs, {Tc, s}Ks {Ac, s}Kc, s, {Tc, s}Ks These will now be discussed in detail. Getting an Initial Ticket The client has one piece of information that proves her identity: her password. Obviously we don’t want her to send this password over the network. The Kerberos protocol minimizes the chance that this password will be compromised, while at the same time not allowing a user to properly authenticate herself unless she knows the password. The client sends a message containing her name and the name of her TGS server to the Kerberos authentication server. (There can be many TGS servers.) In reality, the user probably just enters her name into the system and the login program sends the request. The Kerberos authentication server looks up the client in his database. If the client is in the database, Kerberos generates a session key to be used between her and the TGS. This is called a Ticket Granting Ticket (TGT). Kerberos encrypts that session key with the client’s secret key. Then it creates a TGT for the client to authenticate herself to the TGS, and encrypts that in the TGS’s secret key. The authentication server sends both of these encrypted messages back to the client. Th...
View Full Document

This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online