DataMuseum.dk

Presents historical artifacts from the history of:

DKUUG/EUUG Conference tapes

This is an automatic "excavation" of a thematic subset of
artifacts from Datamuseum.dk's BitArchive.

See our Wiki for more about DKUUG/EUUG Conference tapes

Excavated with: AutoArchaeologist - Free & Open Source Software. 

top - metrics - download
Index: T U

⟦59b98d503⟧ TextFile

    Length: 44791 (0xaef7)
    Types: TextFile
    Notes: Uncompressed file

Derivation

└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
    └─⟦f6c6e14fe⟧ »./papers/Kerberos/user2user.ps.Z« 
        └─⟦this⟧

TextFile

%!PS-Adobe-1.0
%%Title: krbdoc3.mss
%%DocumentFonts: (atend)
%%Creator: Donald T. Davis,,,, and Scribe 5(1501)
%%CreationDate: 17 March 1989 18:12
%%Pages: (atend)
%%EndComments
% PostScript Prelude for Scribe.
/BS {/SV save def 0.0 792.0 translate .01 -.01 scale} bind def
/ES {showpage SV restore} bind def
/SC {setrgbcolor} bind def
/FMTX matrix def
/RDF {WFT SLT 0.0 eq
  {SSZ 0.0 0.0 SSZ neg 0.0 0.0 FMTX astore}
  {SSZ 0.0 SLT sin SLT cos div SSZ mul SSZ neg 0.0 0.0 FMTX astore}
  ifelse makefont setfont} bind def
/SLT 0.0 def
/SI { /SLT exch cvr def RDF} bind def
/WFT /Courier findfont def
/SF { /WFT exch findfont def RDF} bind def
/SSZ 1000.0 def
/SS { /SSZ exch 100.0 mul def RDF} bind def
/AF { /WFT exch findfont def /SSZ exch 100.0 mul def RDF} bind def
/MT /moveto load def
/XM {currentpoint exch pop moveto} bind def
/UL {gsave newpath moveto dup 2.0 div 0.0 exch rmoveto
   setlinewidth 0.0 rlineto stroke grestore} bind def
/LH {gsave newpath moveto setlinewidth
   0.0 rlineto
   gsave stroke grestore} bind def
/LV {gsave newpath moveto setlinewidth
   0.0 exch rlineto
   gsave stroke grestore} bind def
/BX {gsave newpath moveto setlinewidth
   exch
   dup 0.0 rlineto
   exch 0.0 exch neg rlineto
   neg 0.0 rlineto
   closepath
   gsave stroke grestore} bind def
/BX1 {grestore} bind def
/BX2 {setlinewidth 1 setgray stroke grestore} bind def
/PB {/PV save def translate 100.0 -100.0 scale pop} bind def
/PE {PV restore} bind def
/SH /show load def
/MX {exch show 0.0 rmoveto} bind def
/W {0 32 4 -1 roll widthshow} bind def
/WX {0 32 5 -1 roll widthshow 0.0 rmoveto} bind def
%%EndProlog
%%Page: 0 1 
BS
0 SI
10 /Helvetica AF
24931 13689 MT
(Workstation Services and)SH
25264 15115 MT
(Kerberos Authentication)SH
26764 16541 MT
(at Project Athena)SH
25987 39609 MT
(Don Davis, MIT Staff)SH
22292 41035 MT
(Ralph Swick, Digital Equipment Corp.)SH
28654 42461 MT
(03/17/89)SH
ES
%%Page: 1 2 
BS
0 SI
10 /Helvetica-Bold AF
30322 4329 MT
(1)SH
12 SS 
9576 10451 MT
(Introduction)SH
10 /Helvetica AF
12356 11877 MT
(This document proposes solutions for two problems obstructing Project Athena's)SH
9576 13303 MT
(implementation of workstation services.)SH
12356 15870 MT
(The principal problem is that workstation services demand a more flexible mutual-)SH
9576 17296 MT
(authentication protocol than Kerberos currently provides.  The egregious X access-control)SH
9576 18722 MT
(hack, xhost, for example, has lack of authentication as its root cause.  This protocol weakness)SH
9576 20148 MT
(is also the reason that public workstations can't accept authenticated connections from rlogin,)SH
9576 21574 MT
(rcp, rsh, etc.  We propose an extension to the Kerberos Ticket Granting Service protocol, that)SH
9576 23000 MT
(cleanly supports user-to-user mutual authentication.)SH
12356 25567 MT
(Our second proposal addresses the problem of ticket propagation.  Currently, if a user)SH
9576 26993 MT
(wants tickets that are valid on a remote host, he has to run kinit in an encrypted rlogin session,)SH
9576 28419 MT
(unless he's willing to send his password in cleartext.  As an example of the use of our protocol)SH
9576 29845 MT
(extension, we describe a Kerberos application that would support a limited facility for secure)SH
9576 31271 MT
(ticket-propagation.)SH
12 /Helvetica-Bold AF
9576 35026 MT
(Authentication of Workstation Services)SH
11 SS 
9576 38708 MT
(Problem to be Solved)SH
10 /Helvetica AF
12356 40134 MT
(Public workstation users can't offer authenticated network services.  Currently, only)SH
9576 41560 MT
(physically secure hosts can offer such services, because Kerberos' client-to-server)SH
9576 42986 MT
(authentication requires each server to store its private key locally.  Public workstations are)SH
9576 44412 MT
(insecure, so we can't extend this approach to workstations' services.)SH
8 SS 
25139 46628 MT
(1)SH
10 SS 
12356 46979 MT
(The basic Kerberos protocol,)SH
26591 XM
(which allows a user to gain a service ticket in exchange)SH
9576 48405 MT
(for a password, is not at fault in this problem.  In fact, the basic protocol, lacking the)SH
9576 49831 MT
(complications of TGTs and)SH
/Helvetica-Oblique SF
21747 XM
(srvtab)SH
/Helvetica SF
(, offers a trivial, albeit limited, solution:  Kerberos can supply)SH
8 SS 
48780 50906 MT
(2)SH
10 SS 
9576 51257 MT
(anyone who asks with an encrypted key/ticket pair of the form {K)SH
40341 XM
(,..., { T)SH
44699 XM
(} K)SH
46823 XM
(} K)SH
48502 XM
(.)SH
50510 XM
(Of)SH
8 SS 
38145 51608 MT
(c,sp)SH
43232 XM
(c,sp)SH
45978 XM
(sp)SH
48102 XM
(c)SH
10 SS 
9576 52683 MT
(course, the keys K)SH
18480 XM
(and K)SH
22216 XM
(are private keys, so both client and server must enter their)SH
8 SS 
17802 53034 MT
(c)SH
21093 XM
(sp)SH
10 SS 
9576 54109 MT
(passwords each time they make a connection.  The problem, restated, is thus to relieve users)SH
9576 55535 MT
(of the frequent need to enter their passwords.)SH
12356 58102 MT
(The clients' half of this problem has been completely solved by the Ticket-Granting-)SH
9576 59528 MT
(Ticket \050TGT\051 protocol.  Athena has addressed the servers' half of the problem, but only weakly,)SH
9576 60954 MT
(by storing each server's private key in)SH
/Helvetica-Oblique SF
26582 XM
(srvtab)SH
/Helvetica SF
(. Thus,)
278 W( clients and servers currently use)SH
/Helvetica-Oblique SF
9576 62380 MT
(user-to-host)SH
/Helvetica SF
15189 XM
(authentication. This)
278 W( doesn't work on public workstations, for two reasons:)SH
10800 50 9576 64568 UL
6 SS 
10466 65963 MT
(1)SH
8 SS 
10800 66276 MT
(Needham & Schroeder's 1978 protocol, plus timestamps. See:  Roger M. Needham and Michael D. Schroeder,)SH
9576 67230 MT
("Using Encryption for Authentication in Large Networks of Computers". CACM Vol. 21, No. 12, Dec. 1978, pp.)SH
9576 68184 MT
(993-999.)SH
6 SS 
10466 69779 MT
(2)SH
8 SS 
10800 70092 MT
(Here, the subscripts "c" & "sp" refer to the client and service-provider, respectively.  The ellipsis represents our)SH
9576 71046 MT
(omission of the timestamp, server's ID, and other data.  Otherwise, our notation follows Steiner, Neuman, & Schiller,)SH
9576 72000 MT
("Kerberos: An Authentication Service for Open Network Systems", USENIX Winter Conference, February, 1988.)SH
ES
%%Page: 2 3 
BS
0 SI
10 /Helvetica-Bold AF
30322 4329 MT
(2)SH
/Symbol SF
11618 10376 MT
(\267)SH
/Helvetica SF
12356 XM
(Public workstations are vulnerable to various privacy attacks, and hence cannot)SH
12356 11519 MT
(securely hold any long-lived secret.)SH
/Symbol SF
11618 13334 MT
(\267)SH
/Helvetica SF
12356 XM
(In most cases, what we really want is user-to-user, not user-to-host,)SH
12356 14477 MT
(authentication.)SH
12356 17044 MT
(An immediate corollary of public workstations' insecurity is that idle public workstations')SH
9576 18470 MT
(services cannot be authenticated, because insecure hosts can readily be impersonated in any)SH
9576 19896 MT
(protocol. Thus,)
278 W( we believe that no general user-to-host scheme can embrace public)SH
9576 21322 MT
(workstations. Accordingly,)
278 W( this proposal will address only the goal of a fully general user-to-)SH
9576 22748 MT
(user mutual authentication protocol.  A user-to-user protocol raises the problem of dynamically)SH
9576 24174 MT
(mapping users to hosts, but we will not address such mapping in this document.)SH
11 /Helvetica-Bold AF
9576 27856 MT
(Constraints on Solutions)SH
10 /Helvetica AF
9854 29539 MT
(These are non-negotiable, in case you're wondering:)SH
11800 31222 MT
(1.)SH
12912 XM
(We can't add state to the Kerberos server's process at all.)SH
11800 33037 MT
(2.)SH
12912 XM
(We can't add frequently-changing state to the Kerberos database.)SH
11800 34852 MT
(3.)SH
12912 XM
(We should make at most one transaction with Kerberos per connection.)SH
11800 36667 MT
(4.)SH
12912 XM
(More generally, loading the Kerberos server is always to be avoided.)SH
11800 38482 MT
(5.)SH
12912 XM
(No infinite-life keys \050 like)SH
/Helvetica-Oblique SF
23970 XM
(srvtab)SH
/Helvetica SF
('s\051 can be stored on an insecure host \050 for)SH
12912 39625 MT
(example, public workstations\051.)SH
12356 41051 MT
(Constraints 1 - 4 are "scaling issues".  Constraints 1 and 2 limit the difficulty of)SH
9576 42477 MT
(replicating Kerberos with slave servers.  As a consequence of Constraint 1, Kerberos can)SH
9576 43903 MT
(never initiate any protocol, because to ask for something requires that Kerberos await the)SH
9576 45329 MT
(response, which requires process-state.  For the same reason, Kerberos can't measure time)SH
9576 46755 MT
(intervals at all.)SH
11 /Helvetica-Bold AF
9576 50437 MT
(Discussion of the Problem)SH
10 /Helvetica AF
12356 51863 MT
(If the server workstation is to autonomously authenticate on its user's behalf, it will have)SH
9576 53289 MT
(to store a secret that only the user and Kerberos share; this is axiomatic.  Furthermore,)SH
8 SS 
39866 54364 MT
(3)SH
10 SS 
9576 54715 MT
(because the workstation's secret could be compromised at any time,)SH
41318 XM
(this secret must be)SH
9576 56141 MT
(short-lived. We)
278 W( propose to use the user's session-key with the TGS as the "service secret".)SH
12356 58708 MT
(Then Kerberos' most natural response to a service-ticket request takes the form)SH
9576 60134 MT
({ K)SH
13051 XM
(,..., { T)SH
17409 XM
(} K)SH
20822 XM
(} K)SH
23790 XM
(. Unhappily,)
278 W( it is not straightforward to enable Kerberos to)SH
8 SS 
10855 60485 MT
(c,sp)SH
15942 XM
(c,sp)SH
18688 XM
(sp,tgs)SH
22101 XM
(c,tgs)SH
10 SS 
9576 61560 MT
(build such a response.  If Kerberos is to use both users' TGS session keys to encrypt the)SH
8 SS 
33916 62635 MT
(4)SH
10 SS 
9576 62986 MT
(service-ticket, Kerberos must receive both users' TGTs)SH
35368 XM
(simultaneously. Note)
278 W( that)SH
9576 64412 MT
(Constraint 1 implies that Kerberos cannot judge "simultaneity" of these tickets' arrival, unless)SH
9576 65838 MT
(they arrive together in one message.)SH
10800 50 9576 68384 UL
6 SS 
10466 69779 MT
(3)SH
8 SS 
10800 70092 MT
(via an unattended console, for example.)SH
6 SS 
10466 71687 MT
(4)SH
8 SS 
10800 72000 MT
(To a good approximation, C's TGT = { C, time/life, K)SH
30496 XM
(} K)SH
32903 XM
(.)SH
6 SS 
29228 72313 MT
(c,tgs)SH
31519 XM
(tgs)SH
ES
%%Page: 3 4 
BS
0 SI
10 /Helvetica-Bold AF
30322 4329 MT
(3)SH
/Helvetica SF
12356 10305 MT
(It is troublesome, though, for one user to pass both TGTs to Kerberos, because the TGT)SH
9576 11731 MT
(protocol requires that each TGT be presented to Kerberos with a time-stamped authenticator.)SH
9576 13157 MT
(Further, the TGT protocol has no provision for one user to present another user's credentials.)SH
9576 14583 MT
(However, for one user to possess another's TGT is actually neither troublesome nor)SH
9576 16009 MT
(remarkable, since in order to use the TGT, any impersonator would need the corresponding)SH
9576 17435 MT
(session key.  Indeed, when any user requests service tickets, he sends his TGT along in a)SH
9576 18861 MT
(cleartext request, making the TGT available to anyone on the net.)SH
12356 21428 MT
(The source of the TGT protocol's "crossed-credentials" prohibition, is a flawed analogy)SH
9576 22854 MT
(between TGTs and service tickets.  The basic Kerberos protocol requires that a user present)SH
9576 24280 MT
(an authenticator when using his service ticket, so as to prevent replay of service tickets.  The)SH
9576 25706 MT
(TGT protocol conservatively makes the same requirement, on the assumption that what is)SH
9576 27132 MT
(secure for other services, is secure for the ticket granting service.  But, in fact, a TGT-mediated)SH
9576 28558 MT
(service ticket request is actually more analogous to the basic Kerberos ticket-request, which)SH
9576 29984 MT
(does not include an authenticator: neither request can usefully be replayed, because the TGS')SH
9576 31410 MT
(responses are always encrypted in the requester's key.)SH
12356 33977 MT
(Thus, in essence, a principal authenticates himself by using his secret key; reading an)SH
9576 35403 MT
(encrypted message serves this purpose as well as does sending an encrypted authenticator,)SH
9576 36829 MT
(and doing both is redundant.  Further, Kerberos' role is not to authenticate the service's)SH
9576 38255 MT
(principals, but to enable the principals to authenticate one another.  Thus, we argue that the)SH
9576 39681 MT
(TGT-protocol's authenticator requirement can safely be relaxed, so as to allow either member)SH
8 SS 
33584 40756 MT
(5)SH
10 SS 
9576 41107 MT
(of a client-server pair to present both members' TGTs.)SH
11 /Helvetica-Bold AF
9576 44510 MT
(Notation)SH
10 /Helvetica AF
12356 45961 MT
(We introduce the notation t)SH
26052 XM
(for the conversation key K)SH
39080 XM
(, service-id, ticket lifetime,)SH
8 SS 
24307 46312 MT
(c,sp)SH
37613 XM
(c,sp)SH
10 SS 
9576 47387 MT
(and other data, that accompany the service ticket in a credentials message from Kerberos.)SH
8 SS 
33686 48462 MT
(6)SH
10 SS 
9576 48813 MT
(The identity T)SH
17379 XM
(== \050C, t)SH
22181 XM
(\051 is a good approximation.)SH
35416 XM
(Thus, what we've represented as)SH
8 SS 
15634 49164 MT
(c,sp)SH
20714 XM
(c,sp)SH
10 SS 
16776 50496 MT
({ K)SH
20251 XM
(,...,{ T)SH
24331 XM
(} K)SH
28022 XM
(} K)SH
8 SS 
18055 50847 MT
(c,sp)SH
22864 XM
(c,sp)SH
25610 XM
(sp,tgs)SH
29301 XM
(c,tgs)SH
10 SS 
9576 52179 MT
(is properly written)SH
18234 53862 MT
({ t)SH
21320 XM
(,{ T)SH
24288 XM
(} K)SH
27979 XM
(} K)SH
8 SS 
19124 54213 MT
(c,sp)SH
22821 XM
(c,sp)SH
25567 XM
(sp,tgs)SH
29258 XM
(c,tgs)SH
10 SS 
9576 55545 MT
(As mentioned above, our notation otherwise follows Steiner, Neuman, and Schiller [88].)SH
10800 50 9576 66406 UL
6 SS 
10466 67801 MT
(5)SH
8 SS 
10800 68114 MT
(Actually, the TGS protocol could retain the authenticator requirement, if the TGS were willing to unseal TGT)SH
49672 XM
(after)SH
6 SS 
48816 68427 MT
(sp)SH
8 SS 
9576 69138 MT
(verifying the credentials in TGT)SH
20947 XM
(. This)
222 W( would preserve some accountabilty for one kind of service-denial attack.)SH
6 SS 
20647 69451 MT
(c)SH
10466 70733 MT
(6)SH
8 SS 
10800 71046 MT
(The Kerberos Request For Comments \050RFC\051, currently in preparation, is the best reference for the existing)SH
9576 72000 MT
(protocol's message contents.)SH
ES
%%Page: 4 5 
BS
0 SI
10 /Helvetica-Bold AF
30322 4329 MT
(4)SH
11 SS 
9576 10378 MT
(Our Proposed Solution)SH
10 /Helvetica AF
12356 11804 MT
(We've chosen to have the client do the talking with Kerberos, because to do so requires)SH
9576 13230 MT
(time-out state, which burden can't be borne by all application servers.  An added benefit of this)SH
9576 14656 MT
(choice, is that if a network connectivity fault separates a server from Kerberos, some of its)SH
9576 16082 MT
(clients will still be able to authenticate.)SH
11800 18840 MT
(1.)SH
12912 XM
(Client C asks server SP for service, in cleartext.)SH
20112 20523 MT
(C ----> SP)
SH( :)451 W
27312 XM
(\050 C wants SP \051)SH
11800 23481 MT
(2.)SH
12912 XM
(SP sends its TGT, but not its session-key, to C.)SH
20112 25164 MT
(SP ----> C)
SH( :)451 W
27312 XM
({ T)SH
30669 XM
(}K)SH
8 SS 
28535 25515 MT
(sp,tgs)SH
31670 XM
(tgs)SH
10 SS 
11800 28122 MT
(3.)SH
12912 XM
(C asks Kerberos for a service ticket, sending SP's TGT and C's own TGT.)SH
20112 29805 MT
(C ----> Krb)
SH( :)451 W
27312 XM
(\050 { T)SH
30835 XM
(}K)SH
33632 XM
(, { T)SH
37545 XM
(}K)SH
39613 XM
(\051)SH
8 SS 
29146 30156 MT
(c,tgs)SH
31836 XM
(tgs)SH
35411 XM
(sp,tgs)SH
38546 XM
(tgs)SH
10 SS 
11800 32763 MT
(4.)SH
12912 XM
(In response, Kerberos:)SH
/Symbol SF
14954 34235 MT
(\267)SH
/Helvetica SF
15692 XM
(decrypts the two TGTs, yielding the users' names and TGS session keys;)SH
/Symbol SF
14954 36050 MT
(\267)SH
/Helvetica SF
15692 XM
(prepares a new session key K)SH
30776 XM
(for C and SP to share;)SH
8 SS 
29031 36401 MT
(c,sp)SH
10 /Symbol AF
14954 37865 MT
(\267)SH
/Helvetica SF
15692 XM
(composes service-ticket contents T)SH
33053 XM
(from the TGTs' name-fields, the)SH
8 SS 
31308 38216 MT
(c,sp)SH
10 SS 
15692 39116 MT
(new session key, and other data;)SH
/Symbol SF
14954 40931 MT
(\267)SH
/Helvetica SF
15692 XM
(uses SP's TGS session key K)SH
31331 XM
(to encrypt the ticket contents into a)SH
8 SS 
28919 41282 MT
(sp,tgs)SH
10 SS 
15692 42182 MT
(service ticket;)SH
/Symbol SF
14954 43997 MT
(\267)SH
/Helvetica SF
15692 XM
(sends the service ticket, the new session key, and other credentials to C,)SH
15692 45140 MT
(encrypted in C's TGS session key K)SH
34060 XM
(.)SH
8 SS 
31642 45491 MT
(c,tgs)SH
10 SS 
20112 46823 MT
(Krb ----> C)
SH( :)451 W
27312 XM
({ t)SH
30398 XM
(, { T)SH
33644 XM
(} K)SH
37057 XM
(} K)SH
8 SS 
28202 47174 MT
(c,sp)SH
32177 XM
(c,sp)SH
34923 XM
(sp,tgs)SH
38336 XM
(c,tgs)SH
10 SS 
11800 49781 MT
(5.)SH
12912 XM
(On receipt of the ticket/key pair, C:)SH
/Symbol SF
14954 51253 MT
(\267)SH
/Helvetica SF
15692 XM
(uses C's TGS session key to decrypt the credentials, yielding the new)SH
15692 52396 MT
(session key K)SH
24057 XM
(, the service ticket, and other data;)SH
8 SS 
21861 52747 MT
(c,sp)SH
10 /Symbol AF
14954 54211 MT
(\267)SH
/Helvetica SF
15692 XM
(checks the service-provider's name and the timestamp in t)SH
43675 XM
(,)SH
8 SS 
41479 54562 MT
(c,sp)SH
10 /Symbol AF
14954 56026 MT
(\267)SH
/Helvetica SF
15692 XM
(uses K)SH
20494 XM
(to encrypt an authenticator, and)SH
8 SS 
18749 56377 MT
(c,sp)SH
10 /Symbol AF
14954 57841 MT
(\267)SH
/Helvetica SF
15692 XM
(sends the service-ticket and authenticator to SP.)SH
20112 59524 MT
(C ----> SP)
SH( :)451 W
27312 XM
(\050 { Auth)SH
30992 XM
(} K)SH
34467 XM
(, { T)SH
37713 XM
(} K)SH
41126 XM
(\051)SH
8 SS 
30592 59875 MT
(c)SH
32271 XM
(c,sp)SH
36246 XM
(c,sp)SH
38992 XM
(sp,tgs)SH
10 SS 
11800 62482 MT
(6.)SH
12912 XM
(On receipt of the ticket-authenticator pair, SP:)SH
/Symbol SF
14954 63954 MT
(\267)SH
/Helvetica SF
15692 XM
(uses SP's TGS session key to decrypt the ticket, gaining K)SH
43844 XM
(;)SH
8 SS 
41648 64305 MT
(c,sp)SH
10 /Symbol AF
14954 65769 MT
(\267)SH
/Helvetica SF
15692 XM
(checks the names and the lifetime in T)SH
34951 XM
(,)SH
8 SS 
32755 66120 MT
(c,sp)SH
10 /Symbol AF
14954 67584 MT
(\267)SH
/Helvetica SF
15692 XM
(uses K)SH
20494 XM
(to decrypt C's authenticator, and)SH
8 SS 
18749 67935 MT
(c,sp)SH
10 /Symbol AF
14954 69399 MT
(\267)SH
/Helvetica SF
15692 XM
(uses K)SH
20494 XM
(to encrypt a corresponding authenticator of its own, which it)SH
8 SS 
18749 69750 MT
(c,sp)SH
10 SS 
15692 70650 MT
(returns to C \050optional for physically-secure services\051.)SH
ES
%%Page: 5 6 
BS
0 SI
10 /Helvetica-Bold AF
30322 4329 MT
(5)SH
/Helvetica SF
20112 10305 MT
(SP ----> C)
SH( :)
451 W( { Auth)SH
29439 XM
(} K)SH
8 SS 
28594 10656 MT
(sp)SH
30718 XM
(c,sp)SH
10 SS 
11800 13263 MT
(7.)SH
12912 XM
(For each additional connection, C and SP need to repeat only messages 5 and 6)SH
12912 14406 MT
(\050optional\051.)SH
12356 16973 MT
(Step 1 seeks to verify that SP is in fact available at the message's destination; since)SH
9576 18399 MT
(Kerberos will not be handling user-to-host)SH
/Helvetica-Oblique SF
28306 XM
(mapping)SH
/Helvetica SF
(, such a query is probably desirable in any)SH
9576 19825 MT
(user-to-user authentication protocol.  Step 2 serendipitously offers a solution to the difficult)SH
9576 21251 MT
(problem that a client can't distinguish in his ticket file between two identically-named service)SH
9576 22677 MT
(tickets: we)
278 W( propose that the SP's TGT is just the handle we need.  Indeed, we propose that if)SH
9576 24103 MT
(two services have the same name and the same TGT, they)SH
/Helvetica-Oblique SF
36032 XM
(should)SH
/Helvetica SF
39256 XM
(be indistinguishable.)SH
12356 26670 MT
(Note also that in step 3, C specifies SP not by name, but by giving SP's TGT.  In step 4,)SH
9576 28096 MT
(the TGS uses the TGTs' name-fields to build C's credentials, thereby securely identifying C)SH
9576 29522 MT
(and SP to one another as the owners of the key K)SH
33112 XM
(. Thus,)
278 W( C's and SP's checks of the)SH
8 SS 
31645 29873 MT
(c,sp)SH
10 SS 
9576 30948 MT
(credentials' name-fields foils intruders' replay of TGTs in the unauthenticated messages 2 and)SH
9576 32374 MT
(3.)SH
12356 34941 MT
(Note finally that Kerberos, to support this protocol, doesn't need access to the database,)SH
9576 36367 MT
(but needs only the TGS' service-key K)SH
27650 XM
(. Thus,)
278 W( our proposed changes affect only Kerberos')SH
8 SS 
26583 36718 MT
(tgs)SH
10 SS 
9576 37793 MT
(Ticket Granting Service; the Kerberos database would not be changed.)SH
11 /Helvetica-Bold AF
9576 41475 MT
(Ticket Lifetimes and Renewal)SH
10 /Helvetica AF
12356 42901 MT
(The protocol we've presented so far, doesn't support ticket renewal.  The service ticket)SH
8 SS 
39086 43976 MT
(7)SH
10 SS 
9576 44327 MT
(is timestamped to expire as soon as either principal's TGT expires.)SH
40816 XM
(Whenever either user)SH
9576 45753 MT
(runs kinit to refresh her TGT, the client and service-provider processes need to be able to)SH
9576 47179 MT
(renew their conversation key and service ticket.  This renewal of session credentials should)SH
9576 48605 MT
(proceed invisibly to the users.)SH
12356 51172 MT
(There are three expiration/renewal scenarios:)SH
/Symbol SF
11618 52644 MT
(\267)SH
/Helvetica SF
12356 XM
(Servers' right to accept connections should expire with their TGTs; all remaining)SH
12356 53787 MT
(clients' service-tickets will expire simultaneously.  These clients should renew their)SH
12356 54930 MT
(service-tickets only when they need a fresh connection.)SH
/Symbol SF
11618 56745 MT
(\267)SH
/Helvetica SF
12356 XM
(Clients' right to use a conversation key in an established service-connection may)SH
12356 57888 MT
(expire, if the service applies the service-ticket lifetime to the conversation key.)SH
/Symbol SF
11618 59703 MT
(\267)SH
/Helvetica SF
12356 XM
(Established client/server sessions may wish to change their conversation keys)SH
12356 60846 MT
(periodically, even if the service-ticket doesn't expire.)SH
12356 63413 MT
(Service-ticket lifetime enforcement must be coded into the application-servers, as is)SH
9576 64839 MT
(done now.  Clients should not try to enforce anticipated lifetimes on tickets, because servers)SH
9576 66265 MT
(may have idiosyncratic lifetime-rules.  Once the client realizes that it needs a new ticket/key)SH
9576 67691 MT
(pair, all three types of renewal require that the client talk again to Kerberos with up-to-date)SH
10800 50 9576 70292 UL
6 SS 
10466 71687 MT
(7)SH
8 SS 
10800 72000 MT
(This assumes that the maximal service-ticket lifetime == TGT lifetime.  These lifetimes may be different.)SH
ES
%%Page: 6 7 
BS
0 SI
10 /Helvetica-Bold AF
30322 4329 MT
(6)SH
/Helvetica SF
9576 10305 MT
(TGTs. Thus,)
278 W( in step 4, Kerberos should be able to respond to out-of-date TGTs with an)SH
9576 11731 MT
(error-code that tells which TGT has expired, so that the client-user can know what to do.)SH
11 /Helvetica-Bold AF
9576 15413 MT
(User-To-Host Authentication)SH
10 /Helvetica AF
12356 16839 MT
(Should this protocol supplant or supplement the existing protocol?  The main argument)SH
9576 18265 MT
(for grandfathering is that large-scale servers are typically secure, so they needn't bear the cost)SH
9576 19691 MT
(of the extra exchange 1 - 2.)SH
/Helvetica-Oblique SF
22306 XM
(A fortiori)SH
/Helvetica SF
(, some services don't grant connections, but just want to)SH
9576 21117 MT
(accept authenticated messages, and therefore should use the briefest protocol possible.)SH
12356 23684 MT
(We propose nevertheless to replace the existing user-to-host protocol with our protocol.)SH
9576 25110 MT
(Our main concern is that the Kerberos protocol should not become any more unweildy than it)SH
9576 26536 MT
(is already.  Further, grandfathering the existing protocol will probably complicate programs like)SH
9576 27962 MT
(rlogin, which will need to use both user-to-user and user-to-host authentication.)SH
12356 30529 MT
(A physically-secure server would still keep a host-principal private key in)SH
/Helvetica-Oblique SF
44588 XM
(srvtab)SH
/Helvetica SF
(, but)SH
9576 31955 MT
(would use the key to get a TGT; its daemons would use the TGT in this protocol in order to)SH
8 SS 
44089 33030 MT
(8)SH
10 SS 
9576 33381 MT
(accept connections.  This arrangement is also necessary for insecure servers,)SH
45541 XM
(where)SH
9576 34807 MT
(administrators can't leave their personal TGTs unattended.)SH
12356 37374 MT
(Hosts' TGTs should be non-expiring; otherwise, our protocol's uniformity comes at the)SH
9576 38800 MT
(cost of these hosts having to maintain up-to-date TGTs.  After all, such long-lived session-keys)SH
9576 40226 MT
(wouldn't be any more vulnerable to cryptanalytic attack than)SH
/Helvetica-Oblique SF
36366 XM
(srvtab)SH
/Helvetica SF
39367 XM
(keys are now.  In the worst)SH
9576 41652 MT
(case, a Kerberos application can read)SH
/Helvetica-Oblique SF
26640 XM
(srvtab)SH
/Helvetica SF
29641 XM
(to renew short-lived TGTs automatically.)SH
11 /Helvetica-Bold AF
9576 45334 MT
(Naming and Authorization Issues)SH
10 /Helvetica AF
12356 46760 MT
(A service-provider may wish to destroy his normal tickets before offering services to the)SH
9576 48186 MT
(network, so as to protect his client-identity from theft.  Ideally, only unattended servers and)SH
9576 49612 MT
(cycle-servers \050rlogin etc.\051  would need this precaution, but in principle, we shouldn't assume)SH
9576 51038 MT
(that even X servers and fingerds aren't providing more access than we expect.  Thus, a)SH
9576 52464 MT
(service-provider should be able to enter our protocol with something other than a normal user)SH
9576 53890 MT
(TGT in hand.  This section discusses the consequences of introducing)SH
/Helvetica-Oblique SF
40924 XM
(service instances)SH
/Helvetica SF
48871 XM
(to)SH
9576 55316 MT
(Kerberos.)SH
12356 57883 MT
(Lacking normal TGTs, a server should be able to enter our protocol with a service-)SH
9576 59309 MT
(instance TGT, in the name)SH
/Helvetica-Oblique SF
21637 XM
(username)SH
/Helvetica SF
(.)SH
/Helvetica-Oblique SF
(service)SH
/Helvetica SF
(@)SH
/Helvetica-Oblique SF
(realm)SH
/Helvetica SF
(. The)
278 W( Kerberos protocol makes no)SH
9576 60735 MT
(restrictions on how many different instances a user may use to authenticate himself, but)SH
9576 62161 MT
(service-instances do present several problems:)SH
11800 63562 MT
(1.)SH
12912 XM
(Currently, the service-administrator will have to enter a separate password in)SH
12912 64705 MT
(order to gain each service-instance TGT.)SH
11800 66520 MT
(2.)SH
12912 XM
(The service-administrator will have no assurance that all network services will)SH
12912 67663 MT
(keep his service-instances' and client-instances' access separate.)SH
10800 50 9576 70292 UL
6 SS 
10466 71687 MT
(8)SH
8 SS 
10800 72000 MT
(At MIT's Laboratory for Computer Science, one of the Kerberos beta-sites,)SH
/Helvetica-Oblique SF
37341 XM
(no)SH
/Helvetica SF
38453 XM
(servers are physically secure.)SH
ES
%%Page: 7 8 
BS
0 SI
10 /Helvetica-Bold AF
30322 4329 MT
(7)SH
/Helvetica SF
11800 10305 MT
(3.)SH
12912 XM
(With a server-instance available, some clients will have to decide at connect-time)SH
12912 11448 MT
(whether to use a service which lacks the access of a client instance.)SH
11800 13263 MT
(4.)SH
12912 XM
(If each user has a service-instance for each service he can offer, this)SH
12912 14406 MT
(proliferation will not merely add to the Kerberos Database's bulk, but will multiply)SH
12912 15549 MT
(it, probably by the number of workstation-services.)SH
12356 18116 MT
(The service instance will act as a proxy for the service-administrator and for the client,)SH
9576 19542 MT
(because we anticipate that daemons will often need to provide "piggybacked services."  For)SH
9576 20968 MT
(example, one can envision many services' needing their clients' X service \050Note that)SH
9576 22394 MT
(piggybacked services generally shouldn't require that clients propagate their tickets\051.  Proxies)SH
9576 23820 MT
(definitionally require an authorization mechanism.  Here, because the service instance's TGT)SH
9576 25246 MT
(does double duty, the authorization needs of the client and service-administrator conflict.)SH
9576 26672 MT
(Specifically, the service-instance should not enjoy any of the service-administrator's client)SH
9576 28098 MT
(access, yet it must act as a client to serve its own clients.  This conflict narrowly constrains our)SH
9576 29524 MT
(definition of a service instance's authorization.)SH
12356 32091 MT
(To fully support piggybacked services, all application-protocols will have to restrict)SH
9576 33517 MT
(service-instances' authorization.  Further, the usual access-control files will probably not)SH
9576 34943 MT
(suffice. We)
278 W( expect users' access-control lists to be quite volatile in the presence of workstation)SH
9576 36369 MT
(services, so that memory-cached lists will be necessary.  This volatility will therefore probably)SH
9576 37795 MT
(require a sophisticated authorization library and some kind of centralized authorization)SH
8 SS 
13189 38870 MT
(9)SH
10 SS 
9576 39221 MT
(support.)SH
14919 XM
(We do not propose to implement an authorization service soon.)SH
12356 41788 MT
(If we disallow piggybacked workstation services, the service-instance need no longer be)SH
9576 43214 MT
(the clients' proxy, so much less central support can still relieve application-protocols of service-)SH
9576 44640 MT
(instance restrictions.  It would suffice to allow a service-provider to spawn a single "weak")SH
9576 46066 MT
(service-instance named, perhaps,)SH
/Helvetica-Oblique SF
24860 XM
(username)SH
/Helvetica SF
(.)SH
/Helvetica-Bold SF
(weak)SH
/Helvetica SF
(@)SH
/Helvetica-Oblique SF
(realm)SH
/Helvetica SF
(, which the TGS would reject as a)SH
9576 47492 MT
(client unauthorized for TGS.  "Spawn" here, means that these weak instances would)SH
/Helvetica-Oblique SF
47137 XM
(not)SH
/Helvetica SF
9576 48918 MT
(appear in the Kerberos Database, but would gain TGTs on the strength of a normal instance's)SH
9576 50344 MT
(password or TGT.)SH
12356 52911 MT
(An intergrade solution is possible as well, but is much less attractive:  service instances)SH
9576 54337 MT
(would be spawned as above, but their instance-fields could have a variety of values, e.g., "X",)SH
9576 55763 MT
("nfs", etc., which would be tabulated in an ancillary KDB.  Further, these instances would be)SH
9576 57189 MT
(allowed to gain some service tickets, unlike weak instances; the TGS would regulate the)SH
9576 58615 MT
(service instances' access to service-tickets via its own access-control list.)SH
12356 61182 MT
(In summary, we propose that weak instances may prove convenient, but probably aren't)SH
9576 62608 MT
(necessary. In)
278 W( the long run, some sort of authorization service will be necessary, since)SH
9576 64034 MT
(implementors will want to "piggyback" services.  Until we implement one form or another of)SH
9576 65460 MT
(centralized authorization-support, we recommend that)SH
/Helvetica-Oblique SF
33697 XM
(no)SH
/Helvetica SF
35087 XM
(service instances be created.)SH
10800 50 9576 68384 UL
6 SS 
10466 69779 MT
(9)SH
8 SS 
10800 70092 MT
(Kerberos was originally named after Hades' three-headed watchdog because it was to provide not only)SH
9576 71046 MT
(authentication service, but authorization and accounting services, too.  As the system developed, these auxiliary)SH
9576 72000 MT
(functions were deferred, on the grounds that authentication proved to be dauntingly subtle by itself.)SH
ES
%%Page: 8 9 
BS
0 SI
10 /Helvetica-Bold AF
30322 4329 MT
(8)SH
12 SS 
9576 10451 MT
(Ticket Propagation)SH
11 SS 
9576 14133 MT
(Problem to be Solved)SH
10 /Helvetica AF
12356 15559 MT
(Kerberos' current suite of applications doesn't allow users to get tickets for use on)SH
9576 16985 MT
(remote hosts.  Rlogin users sometimes need such tickets in order to authenticate their remote)SH
8 SS 
35474 18060 MT
(10)SH
10 SS 
9576 18411 MT
(sessions, e.g., so as to remotely access their NFS lockers.)SH
37649 XM
(We anticipate that other remote)SH
9576 19837 MT
(processes will need access to their client-users' tickets.)SH
11 /Helvetica-Bold AF
9576 23519 MT
(Constraints on Solutions)SH
10 /Symbol AF
11618 24991 MT
(\267)SH
/Helvetica SF
12356 XM
(Passwords and keys require encrypted transmission.)SH
/Symbol SF
11618 26806 MT
(\267)SH
/Helvetica SF
12356 XM
(The propagated tickets must be created anew for the recipient host; that is, the)SH
12356 27949 MT
(tickets' format must retain the "host id" field.)SH
/Symbol SF
11618 29764 MT
(\267)SH
/Helvetica SF
12356 XM
(Propagation of tickets must require a password; that is, it can't be automatic.  \050to)SH
12356 30907 MT
(prevent "unattended console" ticket-thefts\051.)SH
/Symbol SF
11618 32722 MT
(\267)SH
/Helvetica SF
12356 XM
(The local host must not cache tickets for a remote host \050unattended console)SH
12356 33865 MT
(again\051.)SH
/Symbol SF
11618 35680 MT
(\267)SH
/Helvetica SF
12356 XM
(Propagated should normally have a reduced lifetime, since it's harder for the user)SH
12356 36823 MT
(to destroy them.)SH
/Symbol SF
11618 38638 MT
(\267)SH
/Helvetica SF
12356 XM
(As usual, we prefer not to change the Kerberos protocols.)SH
12356 41879 MT
(Actually, it would probably be safe to allow automatic propagation of reduced-)SH
9576 43305 MT
(authorization tickets, but this is hampered by the difficulty of adding a notion of "reduced)SH
9576 44731 MT
(authorization" to Kerberos.  Until it's better understood, automatic propagation is risky enough)SH
9576 46157 MT
(that Kerberos should only support it, when an application demonstrates an overriding need.)SH
11 /Helvetica-Bold AF
9576 49839 MT
(Discussion of the Problem)SH
10 /Helvetica AF
12356 51265 MT
(We propose a new service, called "rkinit", whose purpose is to transfer tickets on)SH
9576 52691 MT
(encrypted connections.  How will ticket-propagation be used, and how will it work?  Depending)SH
9576 54117 MT
(on whether the donor or the recipient initiates the transfer, we'll distinguish between "pushing")SH
9576 55543 MT
(and "pulling" tickets, respectively.  For example, a user might push tickets to a remote host)SH
9576 56969 MT
(before using rlogin, or he might rlogin first, and then use the remote session to pull his tickets)SH
9576 58395 MT
(after him.)SH
12356 60962 MT
(Pulling is more convenient for rlogin and telnet users, who don't always need remote)SH
9576 62388 MT
(tickets. It)
278 W( would be nice to support both pushing and pulling of tickets at Athena, but only)SH
9576 63814 MT
(pushing is necessary. It's likely, in fact, that only rlogin and other "cycle services" can use)SH
9576 65240 MT
(pulling to advantage, so that it's best to equip those protocols with toggled-encryption.  This)SH
9576 66666 MT
(would allow such users to run \050r\051kinit remotely and securely.)SH
10800 50 9576 70292 UL
6 SS 
10466 71687 MT
(10)SH
8 SS 
11134 72000 MT
(Project Athena's NFS-implementation demands Kerberos authentication for protected accesses.)SH
ES
%%Page: 9 10 
BS
0 SI
10 /Helvetica-Bold AF
30322 4329 MT
(9)SH
11 SS 
9576 10378 MT
(Our Proposed Solution)SH
10 /Helvetica AF
12356 11804 MT
(Pushing is the more elegant approach:)SH
11800 13205 MT
(1.)SH
12912 XM
(The donor requests rkinit service of the receiver host, and uses the resulting)SH
12912 14348 MT
(encrypted connection to identify himself.)SH
11800 16163 MT
(2.)SH
12912 XM
(The receiver rkinitd asks Kerberos for normal tickets in the normal way.  Rkinitd)SH
12912 17306 MT
(then returns Kerberos' encrypted response to the donor.)SH
11800 19121 MT
(3.)SH
12912 XM
(The donor code prompts the user for his password, uses the password to decrypt)SH
12912 20264 MT
(the tickets just as kinit does, checks the tickets for freshness, and returns the)SH
12912 21407 MT
(tickets to the receiver, via the encrypted connection.)SH
11800 23222 MT
(4.)SH
12912 XM
(The receiver host's rkinitd puts the tickets into a ticket-file.)SH
12356 25789 MT
(Pulling is quite hard to implement, because it always requires that the donor-user see a)SH
9576 27215 MT
(remote process' password-prompt.)SH
11800 28616 MT
(1.)SH
12912 XM
(The receiver runs kinit to get tickets, which are encrypted in the donor's private)SH
12912 29759 MT
(key. Kinit must be told the donor's host-name.)SH
11800 31574 MT
(2.)SH
12912 XM
(kinit then calls the donor's host, and uses the receiver-host's administrator's TGT)SH
12912 32717 MT
(to gain an encrypted connection.)SH
11800 34532 MT
(3.)SH
12912 XM
(The encrypted connection can be used to either get a password from the donor,)SH
12912 35675 MT
(or to send the tickets to him for decryption.  In either case, the donor's host must)SH
12912 36818 MT
(raise a password-prompt somewhere.  This is difficult if X-windows aren't)SH
12912 37961 MT
(available, and spoofable even then.  After decrypting the tickets, the donor)SH
12912 39104 MT
(returns them to the receiver.)SH
11800 40919 MT
(4.)SH
12912 XM
(The receiver host's rkinitd puts the tickets into a ticket-file.)SH
12356 43486 MT
(In summary, we propose that rkinit use the pushing protocol.  In either case, rkinitd has)SH
9576 44912 MT
(to be careful to put the tickets into the correct ticket file, if multiple users/sessions are present.)SH
9576 46338 MT
(This is another aspect of Kerberos' naming problem.)SH
12 /Helvetica-Bold AF
9576 50093 MT
(Acknowledgments)SH
10 /Helvetica AF
12356 51519 MT
(Mark Lillibridge and Jon Rochlis helped us solve the problem.  Jennifer Steiner)SH
9576 52945 MT
(suggested the problem statement, and answered many questions.  Jerry Saltzer found a)SH
9576 54371 MT
(security hole in a late draft of this document.  Cliff Neuman, Steve Miller, Mark Eichin, and Stan)SH
9576 55797 MT
(Zanarotti all offered trenchant insights, as we expected.  Dan Geer read and understood at)SH
9576 57223 MT
(least six drafts of this document.)SH
ES
%%Page: 10 11 
BS
0 SI
10 /Helvetica-Bold AF
30044 4329 MT
(10)SH
12 SS 
9576 10451 MT
(Appendix: Proof of Correctness for the Proposed Protocol)SH
8 /Helvetica AF
33474 11526 MT
(11)SH
10 SS 
12356 11877 MT
(This proof uses a formal protocol-analysis logic.)SH
34920 XM
(We begin by breaking step 3 into two)SH
9576 13303 MT
(single-ticket messages, and analyze what happens when the TGS receives a single TGT:)SH
9854 14986 MT
(Let Y)SH
12912 XM
(= \050A<--K)SH
18425 XM
(-->TGS\051, N)SH
24065 XM
(= \050A, time, life\051,)SH
8 SS 
12189 15337 MT
(a)SH
16691 XM
(a,tgs)SH
23342 XM
(a)SH
10 SS 
9576 16237 MT
(and X)SH
12912 XM
(= \050N)SH
16003 XM
(, Y)SH
17671 XM
(, #\050Y)SH
20228 XM
(\051\051)SH
8 SS 
12189 16588 MT
(a)SH
14829 XM
(a)SH
17226 XM
(a)SH
19783 XM
(a)SH
10 SS 
9576 17488 MT
(Then we're analyzing the message)SH
9576 18631 MT
(C --> TGS : {X)SH
16440 XM
(} K)SH
18786 XM
(.)SH
8 SS 
15995 18982 MT
(a)SH
17719 XM
(tgs)SH
10 SS 
9576 19882 MT
(TGS |+ \050Krb<--K)SH
17905 XM
(-->TGS\051 and TGS <\051 {X)SH
28743 XM
(}K)SH
8 SS 
16838 20233 MT
(tgs)SH
28298 XM
(a)SH
29744 XM
(tgs)SH
10 SS 
9576 21133 MT
(so TGS <\051 X)SH
15829 XM
(and TGS |+ Krb |~ X)SH
25299 XM
(, by msg-meaning rule.)SH
8 SS 
15106 21484 MT
(a)SH
24854 XM
(a)SH
10 SS 
9576 22384 MT
(now, the nonce  N)SH
18359 XM
(is principally a lifespan, so TGS |+ #\050N)SH
35764 XM
(\051,)SH
8 SS 
17636 22735 MT
(a)SH
35319 XM
(a)SH
10 SS 
9576 23635 MT
(and TGS |+ Krb |+ X)SH
19046 XM
(, by nonce-verif. rule.)SH
8 SS 
18601 23986 MT
(a)SH
10 SS 
9576 24886 MT
(TGS |+ Krb |+ \050Y)SH
17433 XM
(, #\050Y)SH
19990 XM
(\051\051; we assume that)SH
8 SS 
16988 25237 MT
(a)SH
19545 XM
(a)SH
10 SS 
9576 26137 MT
(TGS |+ Krb => \050Y)SH
17757 XM
(, #\050Y)SH
20314 XM
(\051\051,)SH
8 SS 
17312 26488 MT
(a)SH
19869 XM
(a)SH
10 SS 
9576 27388 MT
(so TGS |+ Y)SH
15756 XM
(and TGS |+ #\050Y)SH
23159 XM
(\051, by jurisdiction rule.)SH
8 SS 
15033 27739 MT
(a)SH
22714 XM
(a)SH
10 SS 
9576 29071 MT
(Substituting C & SP for A in X)SH
23472 XM
(and Y)SH
26530 XM
(, we find that these conclusions provide what we need to)SH
8 SS 
22749 29422 MT
(a)SH
26085 XM
(a)SH
10 SS 
9576 30497 MT
(assume of the keys K)SH
21103 XM
(& K)SH
24849 XM
(.)SH
8 SS 
19136 30848 MT
(c,tgs)SH
22715 XM
(sp,tgs)SH
10 SS 
9854 32180 MT
(The next protocol step is the credentials message:)SH
9576 33323 MT
(Let Y = \050C<--K)SH
17490 XM
(-->SP\051 and X = \050Y, #\050Y\051\051, and)SH
8 SS 
16023 33674 MT
(c,sp)SH
10 SS 
9576 34574 MT
(Z = \050 N)SH
14234 XM
(, X\051)SH
8 SS 
12660 34925 MT
(sp)SH
10 SS 
9576 35825 MT
(Then we're analyzing the message)SH
9576 36968 MT
(TGS --> C: { Z, { C, Z} K)SH
22687 XM
(} K)SH
25655 XM
(.)SH
8 SS 
20275 37319 MT
(sp,tgs)SH
23966 XM
(c,tgs)SH
10 SS 
9576 38219 MT
(we have C |+ \050C<--K)SH
20361 XM
(-->TGS\051, and C <\051 { Z,... } K)SH
34278 XM
(, so)SH
8 SS 
18672 38570 MT
(c,tgs)SH
32589 XM
(c,tgs)SH
10 SS 
9576 39470 MT
(C |+ TGS |~ \050 Z, { C, Z} K)SH
22846 XM
(\051, by msg-meaning rule.)SH
8 SS 
20712 39821 MT
(sp,tgs)SH
10 SS 
9576 40721 MT
(As above, C |+ #\050N)SH
18879 XM
(\051, so C |+ #\050 Z, { C, Z}\051, and)SH
8 SS 
18034 41072 MT
(sp)SH
10 SS 
9576 41972 MT
(C |+ TGS |+ \050 Z, { C, Z} K)SH
22846 XM
(\051, by nonce-verif. rule.)SH
8 SS 
20712 42323 MT
(sp,tgs)SH
10 SS 
9576 43223 MT
(In particular, C |+ TGS |+ X, and we assume that C |+ TGS => X,)SH
9576 44366 MT
(so we have C |+ X, so C |+ Y and C |+ #\050Y\051, as desired.)SH
9576 45509 MT
(Further, we have C <\051 { C, Z} K)SH
25466 XM
(.)SH
8 SS 
23332 45860 MT
(sp,tgs)SH
10 SS 
9576 47795 MT
(Now we analyze the service request, with ticket & authenticator:)SH
9576 48938 MT
(C --> SP: { C, Z} K)SH
19908 XM
(, \050{ N)SH
22531 XM
(, Y}K)SH
/Helvetica-Oblique SF
26222 XM
(signed C)SH
/Helvetica SF
(\051)SH
8 SS 
17774 49289 MT
(sp,tgs)SH
22131 XM
(c)SH
24755 XM
(c,sp)SH
10 SS 
9576 50189 MT
(SP <\051 { C, Z} K)SH
18575 XM
(and SP |+ \050SP<-K)SH
28640 XM
(->TGS\051, so)SH
8 SS 
16163 50540 MT
(sp,tgs)SH
26506 XM
(sp,tgs)SH
10 SS 
9576 51440 MT
(SP |+ TGS |~ \050 C, Z\051. Now, recall that Z = \050 N)SH
30253 XM
(, X\051;)SH
8 SS 
29408 51791 MT
(sp)SH
10 SS 
9576 52691 MT
(as usual, SP |+ #\050 N)SH
19324 XM
(\051, so SP |+ #\050 N)SH
27015 XM
(, X\051,)SH
8 SS 
18479 53042 MT
(sp)SH
26170 XM
(sp)SH
10 SS 
9576 53942 MT
(so SP |+ TGS |+ \050 N)SH
19278 XM
(, X\051, by the nonce-verif. rule.)SH
8 SS 
18433 54293 MT
(sp)SH
10 SS 
9576 55193 MT
(In particular, SP |+ TGS |+ X; we assume SP |+ TGS => X, so SP |+ X.)SH
9576 56336 MT
(That is, SP |+ Y and SP |+ #\050Y\051, as desired.)SH
9576 57479 MT
(Further, SP <\051 \050{ N)SH
18229 XM
(, Y}K)SH
/Helvetica-Oblique SF
21920 XM
(signed C)SH
/Helvetica SF
(\051,)SH
8 SS 
17829 57830 MT
(c)SH
20453 XM
(c,sp)SH
10 SS 
9576 58730 MT
(so SP |+ C |~ \050N)SH
17221 XM
(, Y\051 and SP <\051 \050N)SH
25263 XM
(, Y\051.)SH
8 SS 
16821 59081 MT
(c)SH
24863 XM
(c)SH
10 SS 
9576 59981 MT
(SP |+ #\050N)SH
14321 XM
(\051, so SP |+ #\050N)SH
21289 XM
(, Y\051, so SP |+ C |+ \050N)SH
31046 XM
(, Y\051.)SH
8 SS 
13921 60332 MT
(c)SH
20889 XM
(c)SH
30646 XM
(c)SH
10 SS 
9576 61232 MT
(Thus, SP |+ C |+ Y.)SH
9576 62375 MT
(Since we already have C |+ Y, this completes C's authentication to SP.)SH
9576 64661 MT
(The analysis of SP's responding authenticator is analogous to)SH
9576 65804 MT
(that of C's authenticator.)SH
10800 50 9576 69338 UL
6 SS 
10466 70733 MT
(11)SH
8 SS 
11134 71046 MT
(Michael Burrows, Martin Abadi, and Roger Needham, "Authentication: A Practical Study in Belief and Action".)SH
9576 72000 MT
(\0501987\051 Digital Equipment Corporation Systems Research Center.)SH
ES
%%Page: i 12 
BS
0 SI
10 /Helvetica-Bold AF
30461 4329 MT
(i)SH
12 SS 
25533 10451 MT
(Table of Contents)SH
11 SS 
11412 11695 MT
(Introduction)SH
51012 XM
(1)SH
11412 12939 MT
(Authentication of Workstation Services)SH
51012 XM
(1)SH
10 SS 
13468 14088 MT
(Problem to be Solved)SH
51068 XM
(1)SH
13468 15237 MT
(Constraints on Solutions)SH
51068 XM
(2)SH
13468 16386 MT
(Discussion of the Problem)SH
51068 XM
(2)SH
13468 17535 MT
(Our Proposed Solution)SH
51068 XM
(4)SH
13468 18684 MT
(Ticket Lifetimes and Renewal)SH
51068 XM
(5)SH
13468 19833 MT
(User-To-Host Authentication)SH
51068 XM
(6)SH
13468 20982 MT
(Naming and Authorization Issues)SH
51068 XM
(6)SH
11 SS 
11412 22226 MT
(Ticket Propagation)SH
51012 XM
(8)SH
10 SS 
13468 23375 MT
(Problem to be Solved)SH
51068 XM
(8)SH
13468 24524 MT
(Constraints on Solutions)SH
51068 XM
(8)SH
13468 25673 MT
(Discussion of the Problem)SH
51068 XM
(8)SH
13468 26822 MT
(Our Proposed Solution)SH
51068 XM
(9)SH
11 SS 
11412 28066 MT
(Acknowledgments)SH
51012 XM
(9)SH
11412 29310 MT
(Appendix: Proof of Correctness for the Proposed Protocol)SH
50400 XM
(10)SH
ES
%%Trailer
%%Pages: 12 
%%DocumentFonts: Helvetica Helvetica-Bold Helvetica-Oblique Symbol