[4782] in Kerberos
Re: What's in a ticket
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Sun Mar 12 18:49:41 1995
To: kerberos@MIT.EDU
Date: 12 Mar 1995 23:43:59 GMT
From: jik@cam.ov.com (Jonathan I. Kamens)
In article <795030833snx@dekard.demon.co.uk>, matt@dekard.demon.co.uk (Matt Mower) writes:
|> When the client sends the ticket to the application server to
|> authenticate itself, what is in the ticket which the application server
|> uses to decide if the client should be authenticated?
Part of the ticket that the client gets back from the KDC when it tells the
KDC that it wants to authenticate to a particular server is encrypted in the
server's key. Of course, the client can't decrypt that part of the ticket,
and (theoretically) neither can anyone else, except for the server.
So, the client sends the request to the server, and includes in that request
the data that's encrypted in the server's key. The server decrypts it, and
verifies that the information in it matches the unencrypted part of the
request, as well as the current time, etc. If it matches, the server knows
that it was encrypted and issued by the KDC (unless the server's key has been
compromised, of course), so the client is authenticated.
Oh, yeah.... Another thing included in the encrypted chunk of data is the
session key that the client and server can use to encrypt communications
between them.
--
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com