directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r905767 - in /websites/staging/directory/trunk/content: ./ apacheds/kerberos-ug/1.1.6-as.html
Date Fri, 11 Apr 2014 02:30:27 GMT
Author: buildbot
Date: Fri Apr 11 02:30:27 2014
New Revision: 905767

Staging update by buildbot for directory

    websites/staging/directory/trunk/content/   (props changed)

Propchange: websites/staging/directory/trunk/content/
--- cms:source-revision (original)
+++ cms:source-revision Fri Apr 11 02:30:27 2014
@@ -1 +1 @@

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html Fri Apr 11
02:30:27 2014
@@ -152,17 +152,14 @@
 <h1 id="116-as-authentication-server">1.1.6 - AS (Authentication Server)</h1>
 <p>One of the two server components of a <strong>Kerberos</strong> server
is the Authentication Server, which authenticates clients, and issues tickets (<strong>TGT</strong>,
or <em>Ticket Granting Ticket</em>) that the user can send to the <strong>TGS</strong>
to get a service ticket.</p>
 <DIV class="info" markdown="1">
-The **TGT**, or _Ticket Granting Ticket_, is a ticket that a client can use to get a service
ticket. In fact, the authentication server considers the **TGS** as just another service,
and generates a ticket for the user to access this service.
+The <B>TGT</B>, or <EM>Ticket Granting Ticket</EM>, is a ticket that
a client can use to get a service ticket. In fact, the authentication server considers the
**TGS** as just another service, and generates a ticket for the user to access this service.
 <p>The beauty of the <strong>AS</strong> is that it does not verify that
the client issuing a request is a valid client : it just returns a tickat that an attacker
won't be able to process if he does not have the client's password.</p>
 <h2 id="exhanges-between-the-client-and-the-as">Exhanges between the client and the
 <p>As we can see, for the client to get a <strong>TGT</strong>, it's just
a matter of sending a simple request, which is sent without any encryption whatsoever (some
might consider that a BER encoded message is already cryptic enough, though ;-).</p>
 <p>Here is the standard exchange :</p>
-<DIV align="center">
-![Kerberos Authentication with no pre-auth](images/kerberos-as-no-padata.png)
+<p><img alt="Kerberos Authentication with no pre-auth" src="images/kerberos-as-no-padata.png"
 <p>There is still a potential security breach in this scenario : as the server issues
a <strong>TGT</strong> to the client, containing the secret key built using the
user's password, it is possible to decrypt the ticket using a brute force attack (and this
is more likely to happen if the password is weak...)</p>
 <p>Of course, as each ticket has a limited life time, the ticket won't be valid when
the attaker successfully cracked the ticket, but that doesn't matter : the user's password
is now known, and a new ticket can be requested safely, giving access to the services.</p>
 <p><strong>Kerberos 5</strong> introduced a mechanism to workaround this
issue : the user has to provide a proof that he is who he pretends to be. As we can see, it
defeats the premise we made : the <strong>Kerberos</strong> still wants to check
the users...</p>
@@ -170,9 +167,7 @@ The **TGT**, or _Ticket Granting Ticket_
 <h3 id="pre-authentication">Pre-Authentication</h3>
 <p>Now, let's see how does a client 'proves' that he is who he pretends to be. The
protocol allows the server to ask for some proof, by the means of asking the client to send
the server a timestamp encrypted with the user's secret key : if the server can decrypt the
timestamp using the client's secret key, then that proves the client's identity, and now 
the server can send the <strong>TGT</strong>. This exchange is called PreAuthentication.</p>
 <p>Here is the exchange, when  :</p>
-<DIV align="center">
-![Kerberos Authentication with pre-auth](images/kerberos-as-padata.png)
+<p><img alt="Kerberos Authentication with pre-auth" src="images/kerberos-as-padata.png"
     <div class="nav">

View raw message