Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 1.24. Does Kerberos support multi-homed machines? Next Document: 1.26. What are forwardable tickets? See reader questions & answers on this topic! - Help others by sharing your knowledge From: Don Davis <dtd@world.std.com> User-to-user authentication is a special Kerberos application protocol, that allows users to host secure application services on their desktop machines. It is increasingly common for users to offer desktop services that merit secure authentication, such as nfs and ftp. When users configure their desktop servers with a long-lived srvtab key, this long-lived key becomes a very attractive target for theft. User-to-user authentication enables a user to run a server without keeping a long-lived key on disk. Instead, the user's short-lived TGS session-key takes the place of the usual srvtab secret key, in the server's authentication handshakes. Authentication in Kerberos happens between a client and server. The client gets a ticket for a service, and the server decrypts this ticket using its secret key. This works fine for a physically- secure server, which keeps its secret key on its local disk. But, storing the server's key on disk doesn't work for services that run on users' desktop machines, since no-one should keep a long-lived secret key on an insecure disk drive. The solution to this problem is called user-to-user authentication, and it is implemented in Kerberos 5. In the user-to-user protocol, one user acts as a server, and the other user acts as a client. at the client-user's request, the server-user sends his TGT (but not his session key) to the client-user, who then gets credentials from the KDC, encrypted with the session keys of both TGTs. Both users can decrypt the new session-key and use it to verify each other's identity. The advantage of the U2U scheme is that the server-user exposes only his short-lived TGS session-key to theft; he keeps his long-lived secret, his password, in his biological memory. An attacker is less likely to bother to steal a short-lived server-key. However, U2U's downside is that the desktop server cannot operate autonomously; the service-operator has to refresh his TGT in order for the server to keep accepting clients' requests. Applications have to handle user-to-user authentication as a special case; Kerberos 5 does not offer an API that hides the difference between desktop servers and physically-secure servers. For this reason, very few services currently support the user-to-user protocol. The user-to-user protocol was originally designed for authenticating X-windows sessions, where the server usually runs on an insecure desktop machine. See Question 3.10 for more information on this. The motivation and theory behind user to user authentication is described in the paper: * Don Davis, Ralph Swick, "Workstation Services and Kerberos Authentication at Project Athena" <ftp://athena-dist.mit.edu/pub/ATHENA/kerberos/doc/user2user.ps> User Contributions:Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 1.24. Does Kerberos support multi-homed machines? Next Document: 1.26. What are forwardable tickets? Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: