[19665] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Conceptual difference between kerberos service ticket and token?

daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Oct 1 10:42:58 2017

To: Rohan Suri <rohan.a.suri@gmail.com>, krbdev@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <bbb04632-1038-b885-eb05-834fa4c2675d@mit.edu>
Date: Sun, 1 Oct 2017 10:42:43 -0400
MIME-Version: 1.0
In-Reply-To: <CANXk94QDav2nvge9BLMZ6zfdTxH3PxXkL97QV=qLst8DgXjoqA@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

This question would be better suited to kerberos@mit.edu as it is not
about MIT krb5 development, but I will answer it here.

On 10/01/2017 08:37 AM, Rohan Suri wrote:
> Upon having a TGT, we request a *service ticket* from KDC - providing the
> ServicePrincipalName of the target service.
> Now at places (esp in context of GSSAPI), it only uses the term token -
> when establishing context.
> Is this token equivalent to service ticket in all aspects? Is there a
> difference?

There is a difference:

* A Kerberos ticket is specific to Kerberos.  A GSSAPI context
establishment token could use any GSS mechanism.

* A Kerberos ticket is mostly encrypted in the long-term service key.
(I say "mostly" because there is also a server principal name in plain
text.)  It is not a bearer token; to use it you also have to know the
associated ticket session key.  The combination of ticket and session
key is called a "credential".

* A GSSAPI context establishment token for the Kerberos mechanism, from
the initiator to the acceptor, contains a ticket and an authenticator.
The authenticator is encrypted in the ticket session key, and contains a
timestamp demonstrating that the holder if the session key wanted to
authenticate at the current time.  It also usually contains a
sub-session key, some negotiation flags, possibly delegated credentials,
and possibly channel bindings to ensure that the authenticator can't be
used in a different channel.

* There is also (at least sometimes) a GSSAPI context establishment
token from the acceptor to the initiator, containing the same timestamp
and another sub-sesion key, for mutual authentication.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post