[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication
John, Yes, your description is correct. However smart card is not most common form of pre-auth - an encrypted timestamp is most commonly used. Tim. -----Original Message----- From: John Kemp [mailto:john.kemp@nokia.com] Sent: 04 June 2004 14:44 To: Tim Alsop Cc: p.madsen@entrust.com; security-services@lists.oasis-open.org Subject: Re: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication Tim, Thanks, so I have just one more round of clarification ;) See below: ext Tim Alsop wrote: >Comments below : > >-----Original Message----- >From: John Kemp [mailto:john.kemp@nokia.com] >Sent: 04 June 2004 13:08 >To: Tim Alsop >Cc: p.madsen@entrust.com; security-services@lists.oasis-open.org >Subject: Re: [security-services] RE: AuthenticationMethod / >NameIdentifier and Kerberos authentication > >Tim (or anyone else) > >So: > >i) the pre-authentication is in addition to the "normal" authentication >protocol defined by Kerberos. So, although the principal may be passing >a password in the authentication request, there may also be some >pre-authentication data. Correct? >Tim> Yes, correct. Except that 'normal' does not involve passing a >password. There are never any passwords transmitted (or stored anywhere) >when using the Kerberos protocol. > > > Yes, I'm sorry - I didn't mean that the principal is *passing* the password in the request. What I meant was that the thing that actually authenticates the principal is the password, which is the secret that is shared between the KDC and the principal. The KDC encrypts a session key with a hash of that password. If the client can decrypt and use that subsequently, it is the case that the client posesses the correct shared secret. In authentication context terms, the password is the Principal Authentication Mechanism. The Authenticator (the thing passed across the network) is a shared secret, used in a challenge-response protocol. Specifically, the shared secret that is passed is a session key, encrypted using the principal's hashed password. The pre-authentication method is thus an additional piece of information that indicates that the user also authenticated initially to the KDC using some mechanism (such as a smart card). - JohnK
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]