Table 3...

Strona startowa Ludzie pragną czasami się rozstawać, żeby móc tęsknić, czekać i cieszyć się z powrotem.Vocabulary mihi - for me mensam - table oculus - eye juventutem - youth beatus - blessed vir - man Deus -...* ORA-00054 (exclusive DDL lock not possible because of T1’s table lock) 3 LOCK TABLE scott.../adimages/*/adimgstuleciastanowiły jeden z elementów wielu pierwotnych obrzędów...Jedziemy? Nie przyznam mu się, że nie mam paszportu...Wunderlich unglaubhaftes, beschaemendes, komisch traumartiges Abenteuer: Staetten, von denen man eben in tiefster Wehmut Abschied auf immer genommen, vom...deceitfulness!"1:48 "How do you know me?" Nathanael asked...Sama świadomość niedostatków nie jest radykalnym lekarstwem na nie, chociażmoże przyczynić się niekiedy do ich złagodzenia...String find = searchFor... 
 

Ludzie pragną czasami się rozstawać, żeby móc tęsknić, czekać i cieszyć się z powrotem.

1 shows the contents of the authenticator fields.
Table 3.1 Authenticator Field Contents
Name of Field
Contents of Field
Authenticator Version Number 5
Client Realm
The name of the client’s realm
Client Name
The name of the client
Checksum
The checksum of data in message authenticator
http://corpitk.earthweb.com/reference/pro/1928994024/ch03/03-02.html (1 of 3) [8/3/2000 6:51:42 AM]
Configuring Windows 2000 Server Security:Kerberos Server Authentication CUSEC
The millisecond portion of the client’s time
Client time
The time on the client
Subkey
Key that specifies an alternate key to use instead of the session key
Sequence Number
Optional and application–specific number
Authorization data
Optional field used to include authorization data for specific applications
Key Distribution Center
Just as the Kerberos in Greek mythology had three heads, in technology Kerberos also has three parts. The Kerberos authentication protocol has a client, a server, and a trusted authority. The Key Distribution Server (KDC), the trusted authority used in Kerberos, maintains a database with all account information for principals in the Kerberos realm. A principal is a uniquely named entity that participates in network communication, and a realm is an organization that has a Kerberos server. Since the system running the KDC
service contains the database with security account information, it needs to be physically secure. A portion of this security information is the secret key that is shared between a principal and the KDC. Each principal has its own secret key, and it has a long lifetime, which is why this key is also known as the long-term key.
When the long-term key is based upon a human user’s principal, it is derived from the user’s password. This long-term key is symmetric in nature.
Another key used with the KDC is the session key, which is issued by the KDC when one principal wants to communicate with another principal. For example, if a client wants to communicate with a server, the client sends the request to the KDC, and the KDC in turn issues a session key so that the client and server can authenticate with each other. Each portion of the session key is encrypted in the respective portion of the long-term key for both the client and server. In other words, the client’s long-term key includes the client’s copy of the session key, and the server’s long-term key includes the server’s copy of the session key. The session key has a limited lifetime that is good for a single login session. After the login session is terminated, the session key is no longer valid. The next time the same client needs to contact the same server, it will have to go to the KDC for a new session key.
Session Tickets
The client receives an encrypted message from the KDC that contains both the client and server copies of the session key, as shown in Figure 3.1. The server’s copy of the session key is contained in a session ticket, which also contains information about the client and is encrypted with the shared secret of the server and KDC. The client cannot access the session ticket because it does not know the shared secret key the server and KDC share.
Figure 3.1 The client requests a ticket to communicate with the server.
Now that the client has received the client session key and the servers’ session ticket from the KDC, it can successfully contact the server. The client sends a message to the server that contains the session ticket and an authenticator that has been encrypted with the session key, as shown in Figure 3.2. After the server receives the credentials from the client, it decrypts the session ticket using its shared secret key (shared between the server and the KDC) and extracts the session key sent by the KDC. It then uses the session key to decrypt the authenticator sent by the client. The server believes in the stated identity of the client because the KDC, the trusted authority, told the server the identity of the client. At this point, mutual authentication can take place if the client has requested it, if the correct flag is set in the message it sends.
This is one of the differences between Kerberos and other authentication mechanisms that only validate clients. If the client has requested mutual authentication, then the server encrypts the timestamp, including the milliseconds from the client’s authenticator using its copy of the session key, and then sends it back to the client.
http://corpitk.earthweb.com/reference/pro/1928994024/ch03/03-02.html (2 of 3) [8/3/2000 6:51:42 AM]
Configuring Windows 2000 Server Security:Kerberos Server Authentication
Figure 3.2 The client sends its credentials to the server with which it wants to communicate.