OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication


Yes, your description is correct.

However smart card is not most common form of pre-auth - an encrypted
timestamp is most commonly used.


-----Original Message-----
From: John Kemp [mailto:john.kemp@nokia.com] 
Sent: 04 June 2004 14:44
To: Tim Alsop
Cc: p.madsen@entrust.com; security-services@lists.oasis-open.org
Subject: Re: [security-services] RE: AuthenticationMethod /
NameIdentifier and Kerberos authentication


Thanks, so I have just one more round of clarification ;) See below:

ext Tim Alsop wrote:

>Comments below :
>-----Original Message-----
>From: John Kemp [mailto:john.kemp@nokia.com] 
>Sent: 04 June 2004 13:08
>To: Tim Alsop
>Cc: p.madsen@entrust.com; security-services@lists.oasis-open.org
>Subject: Re: [security-services] RE: AuthenticationMethod /
>NameIdentifier and Kerberos authentication
>Tim (or anyone else)
>i) the pre-authentication is in addition to the "normal" authentication

>protocol defined by Kerberos. So, although the principal may be passing

>a password in the authentication request, there may also be some 
>pre-authentication data. Correct?
>Tim> Yes, correct. Except that 'normal' does not involve passing a
>password. There are never any passwords transmitted (or stored
>when using the Kerberos protocol.
Yes, I'm sorry - I didn't mean that the principal is *passing* the 
password in the request. What I meant was that the thing that actually 
authenticates the principal is the password, which is the secret that is

shared between the KDC and the principal. The KDC encrypts a session key

with a hash of that password. If the client can decrypt and use that 
subsequently, it is the case that the client posesses the correct shared


In authentication context terms, the password is the Principal 
Authentication Mechanism. The Authenticator (the thing passed across the

network) is a shared secret, used in a challenge-response protocol. 
Specifically, the shared secret that is passed is a session key, 
encrypted using the principal's hashed password.

The pre-authentication method is thus an additional piece of information

that indicates that the user also authenticated initially to the KDC 
using some mechanism (such as a smart card).

- JohnK

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]