Thanks: GSS Server without secret key?

Oliver Schoett os at sdm.de
Fri Nov 7 04:57:42 EST 2003


Mike Friedman wrote on 2003-11-07 06:29:

>In short, and a little over-simplified:  
>
>When the client presents a ticket to the server, how does the server know
>it was issued by a trustworthy Kerberos KDC?  Because the ticket contains
>a payload encrypted in the server's secret key, registered in that same KDC
>(and known by no one but that KDC and the server itself).
>  
>
Yes, thanks, I have read in the meantime that the basic Kerberos 
Authentication protocol requires the server to use a secret key (and I 
then cancelled my question).

The design seems to be asymmetric in that the need to store a secret 
long-term key at the client has been avoided (the client only needs to 
store its TGT), but a secret long-term key at the server is still 
necessary.  I am afraid our customer will complain about this ...

Oliver Schoett


More information about the Kerberos mailing list