565
Kerberos
Ticket for the remote realm’s Ticket Granting Service from its local realm. When that Ticket Granting Ticket is used, the remote Ticket Granting Service uses the inter-realm key, which usually differs from its own normal Ticket Granting Server key, to decrypt the Ticket Granting Ticket. It thereby can be certain that it was issued by the client’s own Ticket Granting Server. Tickets issued by the remote Ticket Granting Service let the end-service know that the client was authenticated from another realm. A realm is said to communicate with another realm if the two realms share an inter-realm key or if the local realm shares an inter-realm key with an intermediate realm that communicates with the remote realm. An authentication path is the sequence of intermediate realms transited in communicating from one realm to another. Realms typically are organized hierarchically. Each realm shares a key with its parent and a different key with each child. If an inter-realm key is not directly shared by two realms, the hierarchical organization permits an authentication path to be constructed. If a hierarchical organization is not used, it might be necessary to consult some database before constructing an authentication path between realms is possible. If there is regular communication between two realms that are not directly connected in the hierarchy, they can set up a direct key between the two realms. Figure 9.3 shows a corporate hierarchy with the links between systems representing a connection with a shared key. Note that there is a direct connection between ProjectW.RESEARCH.ABC.COM and ProjectW.PAYROLL.ABC.COM. Any time a connection will see significant data flows, an inter-realm key can be created and shared between the servers.
Figure 9.3
ABC.COM
A corporate hierarchy with shared key. Production
ProjectW
Research
ProjectX
Accounting
Payroll
ProjectW
ProjectX
Although realms typically are hierarchical, intermediate realms can be bypassed to achieve cross-realm authentication through alternative authentication paths. These might be established to make communication between two realms more efficient. The end-service needs to know which realms were transited when deciding how much faith to place in the authentication process. To facilitate this decision, a field in each ticket contains the names of the realms involved in authenticating the client.
p1vPHCP/nhb1
Internet Security Pro Ref 577-7 angela 2-2-96 CH09 LP#4