Purpose of Server Public/Private Key??

Jake Mudau someone at someplace.com
Thu Jul 10 20:36:19 EDT 2003


Hi, I am new to kerberos and would appreciate some help understanding some
basics:

What is the purpose of having a server public/private key architecture?  I
mean, when a user needs to be authenticated, the following is quite
sufficient [or is it :)]:

1.  UserID passed in plain-text to server;
2.  Server submits an encrypted "challenge"-plus-unique-session_id with the
user's password back to client;
3.  Client decrypts challenge from server with password and conducts
pre-defined scrambling (not encrypting) of plain-text;
4.  Client encrypts scrambled plain-text with unique session_id and sends
back to server;
5.  Server decrypts with previously sent unique session_id and confirms
correctness of scrambled challenge.  If ok, client authenticated and new
session_id passed for rest of the client's operations.

Each client is given its own unique session_id and the server knows which
client it is by the session_id.

Can someone please help me understand why we then need server private and
public keys (and why they have to travel as part of the authenticator)?

Many thanks

JM




More information about the Kerberos mailing list