RE: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket

[Tim Alsop <Tim.Alsop@CyberSafe.Ltd.UK>]

Title: RE: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket

Are we discussing user-to-user for WS-Security ?

Anyway, for user-to-user the tgt is not passed to the other user. In fact a tgt is never passed to anybody when using Kebreros apart from when it is sent to KDC as part of a TGS-REQ message, or when a forwardable TGT is being transported inside a service ticket. For user-to-user, what actually happens is that initiating user's tgt is used to obtain a service ticket (containing a session key) from the KDC. The service ticket is then presented to the accepting user, who is able to decrypt the ticket because it was encrypted by the KDC (third party) using his key (derived from his password).

I thought we were in fact discussing protecting sessions with Kerberos keys, but you seem to have introduced the subject of user-to-user authentication which is a different consideration. Regardless of whether user-to-user or user-to-service is being used with Kerberos there is still a unique and random session key which is used to message protection between initiator and acceptor.

Thanks, Tim.

-----Original Message-----
From: Frank Siebenlist [mailto:franks@mcs.anl.gov]
Sent: 04 May 2004 18:03
To: Tim Alsop
Cc: Hallam-Baker, Phillip; wss@lists.oasis-open.org
Subject: Re: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket

Sorry, but for user-to-user authentication, the TGT has to be communicated to
the other party, such that a server ticket can be obtained from the KDC.

-Frank.

Tim Alsop wrote:

> I agree. Another point worth mentioning is that when the Kerberos protocol is used correctly and securely the TGT should not be transmitted anywhere. The TGT is designed to stay in a workstation or server credential cache and not be transmitted. However, service tickets are designed to be transmitted across networks so that mutual authentication, integrity and confidentiality can occur between initiator and acceptor.

>
> Thanks,
> Tim.
>
> -----Original Message-----
> From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com]
> Sent: 22 April 2004 17:24
> To: wss@lists.oasis-open.org
> Subject: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket
>
> I believe that the Ticket Granting Ticket should be eliminated from the
> Kerberos profile.
>
> The only valid use for a TGT is with the Kerb key derrivation algorithm.
> That has no place in WS-Security. If it does appear it would be in WS-Trust
> or the like and not in WS-Security.
>
> Encrypting a WS-Security message with a TGT could lead to cross protocol
> attacks. Really bad voodoo. I propose that unless someone gives a good
> reason to keep TGT in the Kerb profile and describes fully how to use it
> that we should eliminate it.
>
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.

>

--
Frank Siebenlist               franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory