Manualshelf

Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
21222324252627282930
Overview
Authentication Process
Chapter 130
Step 8. The TGS decrypts the authenticator to check the user’s identity and
verifies that the user’s TGT and credentials have not expired. The TGS
reads the secured application’s service principal key from the principal
database, then builds and sends a reply back to the secured client
application.
The reply contains two different packets:
The packet intended for the service principal contains a service
ticket, a new session key, an authenticator and other information, all
encrypted in the service principal’s key.
The packet intended for the client contains the same session key and
other information.
Both packets are encrypted in a session key received by the client
with the TGT
Step 9. The secured application uses the session key received with the TGT to
decrypt the reply. It stores the service ticket packet and the new session
key in the user’s credentials cache. The client does not attempt to decrypt
the service ticket portion of the reply. It cannot as it does not have the
service principal’s key that was used to encrypt it.
Step 10. The secured application sends the service ticket packet to the secured
service, requesting a connection. The secured service decrypts the packet
using its key stored in a service key table file (default key table file name
is v5srvtab).
If the service can decrypt the packet, it uses the session key included in
the packet to decrypt the authenticator, which contains the user
principal’s name and a timestamp. The service checks that the
timestamp is within a five minute window centered around the service’s
clock. This limits an attackers ability to replay a ticket at a time outside
the clock skew.
From the principal name contained in the authenticator, the service
knows that the user has been authenticated and is who the user claims
to be. The service then performs authorization checks for the principal
name. If the checks are successful, a connection is established.
Step 11. The secured application may require the secured service to authenticate
itself, mutual authentication.