Hi, While reading "The Moron's Guide to Kerberos, Version 1.2.2" found at http://www.isi.edu/gost/brian/security/kerberos.html I decided to document the "whole" kerberos process starting from the USER getting a TGT upto the USER getting the actual ticket and establishing a session with his desired service. Here are my writings:
Legend: AU -> authentication server (kerberos) SERVICE -> the service the user is requesting ticket for. SERVER -> the computer running the service the user wants to use. SNAME -> server's name USER -> the one who is requesting the ticket to use a certain service. UNAME -> user's name SKEY -> session key SVKEY -> the password for a particular service known only to AU and SERVER EDATA -> encrypted data TGS SERVER(KDC) -> ticket granting server possibly residing with AU TGT -> ticket granting ticket Note: SKEY1 and SKEY2 are identical 1. USER sends his UNAME and the desired SERVICE(this time TGS) to AU 2. AU looks at it's database if UNAME really exists and if so... 3. AU creates two SKEY; 4. AU encrypts SKEY1 together with SNAME using the USER's password and package it into EDATA1 5. AU encrypts SKEY2 together with USER's name using SVKEY and package it into EDATA2(ticket) 6. AU sends the two EDATA back to USER 7. USER decrypts EDATA1 using his password extracting SKEY1 and SERVER's name(TGS) 8. USER encrypts the current time using SKEY1 and package it into EDATA3(authenticator) 9. USER sends EDATA2 and EDATA3 to TGS SERVER 10. TGS SERVER decrypts EDATA2 using its SERVICE's password extracting the SKEY2 and USER's name 11. SERVICE(TGS) decrypts EDATA3 using SKEY2 extracting the current time that came from USER 12. upon decryption, TGS SERVER knows the ticket really came from AU and also the TTL of the ticket 13. the session now begins, in this case, TGS SERVER sends a TGT back to USER ??> Does this means that AU is sending an unencrypted TGT to the USER? Does this means that any future session with a particular service e.g; retrieving an email from a pop server will not be tunneled into encrypted form? 14. if USER wants to use another SERVICE, he will just use his TGT to request a ticket from TGS SERVER ??>This one seems to be vague. Does this mean the USER will send his TGT back to TGS SERVER? Unencrypted? Quoting: "Furthermore, the reply is encrypted not with the user's secret key, but with the session key that the AS provided for use with the TGS" 15. TGS SERVER encrypts the ticket using SKEY2 and package it into EDATA4. The explanation ends at step 15. The author didn't tell how "EXACTLY" the USER will use the TGT in step 14 to get an actual service tickets. Also, in step 15, he did mention what the user will do, upon arrival of the encrypted service ticket. He said that after step 15, the process repeats itself, so I'm guessing the repitition happens on the 8th step, such that he will again create an encrypted authenticator and forward it to the SERVER together with the ecrypted ticket that came from TGS. What do you think?? Thank you very much... -Mark Jayson R. Alvarez __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
