The Kerberos Authenticator

  

The authenticator is used to prove the credential from the client to the server. Unlike the ticket, it can only be used during one session to the server. The authenticator is manufactured by the client instance of Kerberos. This method assures the TGS that the ticket presenter to TGS is the same client that the ticket was issued to from the AS. It has a very limited life to prevent replay attacks from other clients .

The authenticator is represented by:

Authenticator client = {client, address, timestamp} Key client,server

The client is the client's full principal, the address is the client's network address, and the timestamp is the client's current time of the creation of the authenticator. The client sends this along with the ticket to the target service, and the service compares address -to address and principal-name to principle- name to validate the client's credential. The timestamp contains the client's current time to the millisecond to avoid an impersonation with the same authenticator at a later time, and to prevent the client from sending duplicate authenticators to the target service.

The Key client,server is the random session key that the KDC generates and can only be read by the client's secret key. Sometimes mutual authentication is necessary. Mutual authentication is when the client requires mutual authentication to avoid an impersonation of the target service to collect client information. When the client has sent the authenticator and ticket to the target server and requires mutual authentication, the server must respond with its authenticator and ticket pair.

The authenticator of the server is the client's timestamp + 1 millisecond that is encrypted in the key as the client. This proves that the target server was able to decrypt the timestamp from the client. Because there is so much time synchronization between clients and servers, the Kerberos System allows the machines to have a five-minute difference; otherwise it becomes a time-out-of-bound error.

  


Java Security Solutions
Java Security Solutions
ISBN: 0764549286
EAN: 2147483647
Year: 2001
Pages: 222

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net