Re: [security-services] RE: AuthenticationMethod / NameIdentifierand Kerberos authentication

[John Kemp <john.kemp@nokia.com>]

Tim,

Thanks, so I have just one more round of clarification ;) See below:

ext Tim Alsop wrote:

>Comments below :
>
>-----Original Message-----
>From: John Kemp [mailto:john.kemp@nokia.com] 
>Sent: 04 June 2004 13:08
>To: Tim Alsop
>Cc: p.madsen@entrust.com; security-services@lists.oasis-open.org
>Subject: Re: [security-services] RE: AuthenticationMethod /
>NameIdentifier and Kerberos authentication
>
>Tim (or anyone else)
>
>So:
>
>i) the pre-authentication is in addition to the "normal" authentication 
>protocol defined by Kerberos. So, although the principal may be passing 
>a password in the authentication request, there may also be some 
>pre-authentication data. Correct?
>Tim> Yes, correct. Except that 'normal' does not involve passing a
>password. There are never any passwords transmitted (or stored anywhere)
>when using the Kerberos protocol.
>
>  
>
Yes, I'm sorry - I didn't mean that the principal is *passing* the 
password in the request. What I meant was that the thing that actually 
authenticates the principal is the password, which is the secret that is 
shared between the KDC and the principal. The KDC encrypts a session key 
with a hash of that password. If the client can decrypt and use that 
subsequently, it is the case that the client posesses the correct shared 
secret.

In authentication context terms, the password is the Principal 
Authentication Mechanism. The Authenticator (the thing passed across the 
network) is a shared secret, used in a challenge-response protocol. 
Specifically, the shared secret that is passed is a session key, 
encrypted using the principal's hashed password.

The pre-authentication method is thus an additional piece of information 
that indicates that the user also authenticated initially to the KDC 
using some mechanism (such as a smart card).

- JohnK