Thanks: GSS Server without secret key?
Oliver Schoett
os at sdm.de
Fri Nov 7 04:57:42 EST 2003
Mike Friedman wrote on 2003-11-07 06:29:
>In short, and a little over-simplified:
>
>When the client presents a ticket to the server, how does the server know
>it was issued by a trustworthy Kerberos KDC? Because the ticket contains
>a payload encrypted in the server's secret key, registered in that same KDC
>(and known by no one but that KDC and the server itself).
>
>
Yes, thanks, I have read in the meantime that the basic Kerberos
Authentication protocol requires the server to use a secret key (and I
then cancelled my question).
The design seems to be asymmetric in that the need to store a secret
long-term key at the client has been avoided (the client only needs to
store its TGT), but a secret long-term key at the server is still
necessary. I am afraid our customer will complain about this ...
Oliver Schoett
More information about the Kerberos
mailing list