Preauth Framework and Common Extensions - PowerPoint PPT Presentation
Title:
Preauth Framework and Common Extensions
Description:
Combining keys. KDC state management. Pre-Authentication set. Kerb FAST ... PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { pa-type [1] Int32, -- same as padata-type. ... – PowerPoint PPT presentation
Number of Views:15
Avg rating:3.0/5.0
Title: Preauth Framework and Common Extensions
1
Preauth Framework and Common Extensions
- Larry Zhu (Microsoft)
- Sam Hartman (MIT)
- IETF67
2
Information Model for Preauth
- The reply key used to encrypt the KDC reply
- The strength of client authentication
- Whether the reply key has been used
- Whether the reply key has been replaced
- Whether the contents of the KDC reply can be
verified by the client principal - Whether the contents of the KDC reply can be
verified by the client machine
3
Preauth Facilities
- Client-authentication
- Strengthening reply key
- Replacing reply key
- KDC-authentication
4
Common Extensions
- Combining keys
- KDC state management
- Pre-Authentication set
- Kerb FAST
- Authentication strength indication
5
Combining Keys
- KRB-FX-CF1()
- KRB-FX-CF2()
6
KDC state management
- cookie, it is specific to a KDC
- Distributed cookie for replicated KDCs
7
Preauth set
- PA-AUTHENTICATION-SET SEQUENCE OF
PA-AUTHENTICATION-SET-ELEM - PA-AUTHENTICATION-SET-ELEM SEQUENCE pa-type
1 Int32, - -- same as padata-type.
- pa-hint 2 OCTET STRING, -- hint data. ...
8
KERB FAST
- KrbFastReq SEQUENCE
- fast-options 0 FastOptions,
- padata 1 SEQUENCE OF PA-DATA,
- timestamp 2 KerberosTime,
- usec 3 Microseconds,
- req-nonce 4 OCTET STRING,
- ...
9
KERB-FAST continued
- KrbFastResponse SEQUENCE
- padata 1 SEQUENCE OF PA-DATA,
- finish 2 KrbFastFinish OPTIONAL,
- rep-nonce 3 OCTET STRING,
- ...
