After validating by the server, will the final "actual" service session be encrypted?
jay alvarez
kerber0sb0y at yahoo.com
Wed May 25 03:15:18 EDT 2005
Hi,
While reading "The Moron's Guide to Kerberos, Version
1.2.2" found at
http://www.isi.edu/gost/brian/security/kerberos.html I
decided to document the "whole" kerberos process
starting from the USER getting a TGT upto the USER
getting the actual ticket and establishing a session
with his desired service. Here are my writings:
Legend:
AU -> authentication server (kerberos)
SERVICE -> the service the user is requesting ticket
for.
SERVER -> the computer running the service the user
wants to use.
SNAME -> server's name
USER -> the one who is requesting the ticket to use a
certain service.
UNAME -> user's name
SKEY -> session key
SVKEY -> the password for a particular service known
only to AU and SERVER
EDATA -> encrypted data
TGS SERVER(KDC) -> ticket granting server possibly
residing with AU
TGT -> ticket granting ticket
Note: SKEY1 and SKEY2 are identical
1. USER sends his UNAME and the desired SERVICE(this
time TGS) to AU
2. AU looks at it's database if UNAME really exists
and if so...
3. AU creates two SKEY;
4. AU encrypts SKEY1 together with SNAME using the
USER's password and package it into EDATA1
5. AU encrypts SKEY2 together with USER's name using
SVKEY and package it into EDATA2(ticket)
6. AU sends the two EDATA back to USER
7. USER decrypts EDATA1 using his password extracting
SKEY1 and SERVER's name(TGS)
8. USER encrypts the current time using SKEY1 and
package it into EDATA3(authenticator)
9. USER sends EDATA2 and EDATA3 to TGS SERVER
10. TGS SERVER decrypts EDATA2 using its SERVICE's
password extracting the SKEY2 and USER's name
11. SERVICE(TGS) decrypts EDATA3 using SKEY2
extracting the current time that came from USER
12. upon decryption, TGS SERVER knows the ticket
really came from AU and also the TTL of the ticket
13. the session now begins, in this case, TGS SERVER
sends a TGT back to USER
??> Does this means that AU is sending an unencrypted
TGT to the USER? Does this means that any future
session with a particular service e.g; retrieving an
email from a pop server will not be tunneled into
encrypted form?
14. if USER wants to use another SERVICE, he will just
use his TGT to request a ticket from TGS SERVER
??>This one seems to be vague. Does this mean the USER
will send his TGT back to TGS SERVER? Unencrypted?
Quoting:
"Furthermore, the reply is encrypted not with the
user's secret key, but with the session key that the
AS provided for use with the TGS"
15. TGS SERVER encrypts the ticket using SKEY2 and
package it into EDATA4.
The explanation ends at step 15. The author didn't
tell how "EXACTLY" the USER will use the TGT in step
14 to get an actual service tickets. Also, in step 15,
he did mention what the user will do, upon arrival of
the encrypted service ticket. He said that after step
15, the process repeats itself, so I'm guessing the
repitition happens on the 8th step, such that he will
again create an encrypted authenticator and forward it
to the SERVER together with the ecrypted ticket that
came from TGS.
What do you think??
Thank you very much...
-Mark Jayson R. Alvarez
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new Resources site
http://smallbusiness.yahoo.com/resources/
More information about the Kerberos
mailing list