Hi, I am new to kerberos and would appreciate some help understanding some basics:
What is the purpose of having a server public/private key architecture? I mean, when a user needs to be authenticated, the following is quite sufficient [or is it :)]: 1. UserID passed in plain-text to server; 2. Server submits an encrypted "challenge"-plus-unique-session_id with the user's password back to client; 3. Client decrypts challenge from server with password and conducts pre-defined scrambling (not encrypting) of plain-text; 4. Client encrypts scrambled plain-text with unique session_id and sends back to server; 5. Server decrypts with previously sent unique session_id and confirms correctness of scrambled challenge. If ok, client authenticated and new session_id passed for rest of the client's operations. Each client is given its own unique session_id and the server knows which client it is by the session_id. Can someone please help me understand why we then need server private and public keys (and why they have to travel as part of the authenticator)? Many thanks JM ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
