Table 14.1 Summary of Kerberos Version 4 Message Exchanges 全太大 1050 (a)Authentication Service Exchange:to obtain ticket-granting ticket (1)C→AS:ID.‖IDTS1 (2ASC:EKK IDigs IITS2 II Lifetime llTickettss Tickets=EKKIcADc IDigs WTSLifetime] (b)Ticket-Granting Service Exchange:to obtain service-granting ticket (③C→TGS:ID,‖Tickei‖Authenticator (④TGS→C:EKe[KexllID,lTS4 Ticket,J] TicketgsEKengsIDc ADcll IDvgs WTS2 Lifetime] Tickety =EK Key ll IDc l ADc ID,WTSA I Lifetimea Authenticator=EK[IDcl ADc NTS (c)Client/Server Authentication Exchange:to obtain service (⑤)C→V:Ticket,,lAuthenticator (6)VC:E[TSs+1](for mutual authentication) Tickety =EK.Kex ll IDc ll ADc ll ID llTS4 ll Lifetimea Authenticator。=Ex.,[IDcI‖ADc llTSs] 姓道型品 2022/10/9 现代密妈学理论与买线-14 12/42
2022/10/9 现代密码学理论与实践-14 12/42
2.AS verifies user's access right in database,creates ticket-granting ticket and session key.Results are encrypted 少母海养家冷 using key derived from user's password. 105 once per user logon Kerberos session Authentication request ticket- Server (AS) 1.User logs on to granting ticket workstation and requests service on host. ticket session key request service- Ticket- granting ticket granting Server(TGS) ticket session key once per 3.Workstation prompts type of service 4.TGS decrypts ticket and user for password and authenticator,verifies request, uses password to decrypt then creates ticket for requested incoming message,then server. sends ticket and authenticator that request service contains user's name network address,and time to TGS. once per provide server authenticator 6.Server verifies that 5.Workstation sends service session ticket and authenticator ticket and authenticator match,then grants access to service.If mutual to server. authentication is required,server returs an authenticator. Figure 14.1 Overview of Kerberos 2022/10/9 现代密码学理论与实践-14 13/42
2022/10/9 现代密码学理论与实践-14 13/42
Kerberos4中所用元素之作用 Table 14.2 Rationale for the Elements of the Kerberos Version 4 Protocol(page 1 of 2) (a)Authentication Service Exchange Message (1) Client requests ticket-granting ticket IDc Tells AS identity of user from this client IDtgs: Tells AS that user requests access to TGS TST Allows AS to verify that client's clock is synchronized with that of AS Message(2) AS returns ticket-granting ticket EKe Encryption is based on user's password,enabling AS and client to verify password,and protecting contents of message(2) Kc. Copy of session key accessible to client;created by AS to permit secure exchange between client and TGS without requiring them to share a permanent key ID:gs Confirms that this ticket is for the TGS TS2 Informs client of time this ticket was issued Lifetime: Informs client of the lifetime of this ticket Ticket Ticket to be used by client to access TGS 2022/10/9 现代密码学理论与实践-14 14/42
2022/10/9 现代密码学理论与实践-14 14/42 Kerberos 4中所用元素之作用
(b)Ticket-Granting Service Exchange Message (3) Client requests service-granting ticket IDv: Tells TGS that user requests access to server V 海车起大 Tickettss Assures TGS that this user has been authenticated by AS 1950 Authenticator Generated by client to validate ticket Message (4) TGS returns service-granting ticket Ke.tgs Key shared only by C and TGS;protects contents of message(4) Ke.y Copy of session key accessible to client;created by TGS to permit secure exchange between client and server without requiring them to share a permanent key IDv Confirms that this ticket is for server V TS Informs client of time this ticket was issued Tickety: Ticket to be used by client to access server V Ticket Reusable so that user does not have to reenter password EKig Ticket is encrypted with key known only to AS and TGS,to prevent tampering Ke.t8s Copy of session key accessible to TGS;used to decrypt authenticator, thereby authenticating ticket IDc Indicates the rightful owner of this ticket ADC Prevents use of ticket from workstation other than one that initially requested the ticket IDtgs Assures server that it has decrypted ticket properly TS: Informs TGS of time this ticket was issued Lifetime: Prevents replay after ticket has expired Authenticator Assures TGS that the ticket presenter is the same as the client for whom the ticket was issued;has very short lifetime to prevent replay EKoses Authenticator is encrypted with key known only to client and TGS,to prevent tampering IDc Must match ID in ticket to authenticate ticket 2022 ADC Must match address in ticket to authenticate ticket 15/42 TS2 Informs TGS of time this authenticator was generated
2022/10/9 现代密码学理论与实践-14 15/42