[4834] in Kerberos
Re: What's in a ticket
daemon@ATHENA.MIT.EDU (Steve Kneizys)
Fri Mar 17 14:53:20 1995
To: kerberos@MIT.EDU
Date: 17 Mar 95 14:39:53 EST
From: stevo@acad.ursinus.edu (Steve Kneizys)
In article <3k00vv$alv@pad-thai.cam.ov.com>, jik@cam.ov.com (Jonathan I. Kamens) writes:
> In article <795030833snx@dekard.demon.co.uk>, matt@dekard.demon.co.uk (Matt Mower) writes:
> |> When the client sends the ticket to the application server to
> |> authenticate itself, what is in the ticket which the application server
> |> uses to decide if the client should be authenticated?
>
> Part of the ticket that the client gets back from the KDC when it tells the
> KDC that it wants to authenticate to a particular server is encrypted in the
> server's key. Of course, the client can't decrypt that part of the ticket,
> and (theoretically) neither can anyone else, except for the server.
>
> So, the client sends the request to the server, and includes in that request
> the data that's encrypted in the server's key. The server decrypts it, and
> verifies that the information in it matches the unencrypted part of the
> request, as well as the current time, etc. If it matches, the server knows
> that it was encrypted and issued by the KDC (unless the server's key has been
> compromised, of course), so the client is authenticated.
>
> Oh, yeah.... Another thing included in the encrypted chunk of data is the
> session key that the client and server can use to encrypt communications
> between them.
Is kerberos implemented in the background for PCs and Macs? What I mean
is, I have seen that Eudora supports kerberos. That sounds wonderful, but
what I'd like is for a packet driver for the PC and for MacTCP or something
that interacts with MacTCP, so that all TCP/IP packets are encrypted.
What I am thinking is having a kerberos savy router, like a Linux box,
acting as the server, routing encrypted packets from a dormitory to
a secured but unencrypted set of VAXes, Unix boxes, etc., where no packet
sniffing is possible without a serious breech of physical security and such
naked packets are 'safe'. Is this at all possible?
I guess what I am saying is I have very little knowledge of kerberos
current capabilities but I'd like to learn! What is the RFC #, is there
an FAQ, etc.
Thanks a zillion!
Steve....