OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

531

532

533

534

535

536

537

538

539

540

Authentication

1. The user logs in, entering the correct username. The login program invokes

sec_login_setup_identity( ), which takes the user’s principal name as one of its

arguments, and sec_login_valid_and_cert_ident(), which has as one of its

arguments the user’s password. sec_login_valid_and_cert_ident() causes the

Security runtime to request a Ticket-Granting Ticket (TGT) from the

Authentication Service. (A Ticket-Granting Ticket enables a principal to be

granted a ticket to a service of interest; in this case, it is the Privilege Service.)

The Security runtime performs the following steps to construct the TGT request:

a. Requests, from the secval process, a string consisting of a random key —

conversation key 1 — encrypted using the machine session key (a copy of

which also resides in the registry); then appends this string to the Machine

Ticket-Granting Ticket (MTGT).

b. Generates another random key — conversation key 2, which the

Authentication Service will later use to encrypt the Ticket-Granting Ticket

it returns to the client — and appends it to a timestamp string.

c. Derives, from the password input by the user, the user’s secret key, a copy

of which also exists in the registry. Then encrypts the

timestamp/conversation key 2 string twice: ﬁrst using the user’s secret key,

and again using conversation key 1.

d. Finally, completes the authentication request by concatenating the string

containing conversation key 1 (obtained from secval in Step a) with the

doubly encrypted string containing the timestamp and conversation key 1.

2. The Security Runtime then forwards the TGT request to the Authentication

Service.

3. The Authentication Service receives the request, and performs the following steps

to verify the user and prepare the user’s TGT:

a. Identiﬁes the machine principal by means of the machine Ticket-Granting

Ticket, and obtains the machine session key for that machine from the

Registry.

b. Using the machine session key, decrypts the package containing

conversation key 1.

(Note that the ability of the authentication server to obtain the machine

session key from the Registry and decrypt conversation key 1 veriﬁes that it

is the true Authentication Service server, and not an attacker.)

c. Obtains, from the Registry, the user’s secret key, and decrypts, using the

user’s secret key and conversation key 1, the package containing the

timestamp and conversation key 2.

If this decryption fails, the user’s secret key that was used by the login

program to encrypt the package differs from the one stored in the Registry,

and therefore the password supplied to the login program by the user was

incorrect. In this case, the user is not authenticated, and an error message is

returned to the login program.

If the decryption succeeds, and if the decrypted timestamp is within 5

minutes of the current time, the user has been veriﬁed (that is, the user

knows the correct principal password), and the Authentication Service

124245 Tandem Computers Incorporated 23−9