S4U2 security

Peter Mogensen apm at mutex.dk
Thu Aug 2 17:31:51 EDT 2012


On 2012-08-02 22:52, Simo Sorce wrote:
> On Thu, 2012-08-02 at 22:14 +0200, Peter Mogensen wrote:
>> But then say the web server used HTTP Digest with a nonce and computed
>> hash result provided by the KDC.
>> Then the password (and access to requesting TGTs) would still only be
>> shared by the user and KDC.
> Then you need to have a way to share the digest with the KDC, that's not
> easy.

I'm aware that this is not easy in the kerberos protocol, but say:

* The user(browser) makes a HTTP req. to a webserver.
* The webserver connect to the KDC via som comapnion service or a 
protocol extension to get a nonce (or uses a timestamp)
* ... which the webserver then sends to the client in a 
WWW-authenticate: Digest header
* The client reponds via HTTP with the digest.
* The webserver sendes a S4U2self with a (say) PA-HTTP-DIGEST containing 
the user, realm, nonce and digest.
* The KDC checks the nonce/digest and confirms the authentication along 
with a S4U2self service ticket for the webserver.
* The webserver serves the resource. (potentially using the service ticket).


/Peter



More information about the Kerberos mailing list