Manualshelf

OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
531532533534535536537538539540
Authentication
In Step 1, the client Security runtime sends to the Authentication Service, in addition
to the users name (UUID), a timestamp encrypted in the user’s secret key.
In Step 2, the Authentication Service, before preparing the user’s TGT, verifies the
user as follows:
1. It decrypts the timestamp using the copy of the user’s key it obtained from the
Registry.
2. If the decryption succeeds, and the timestamp is within 5 minutes of the
current time, the user is verified, and the Authentication Service proceeds to
prepare the TGT. If the decryption fails, or if the timestamp is not within 5
minutes of the current time, the Authentication Service rejects the login
request.
With this protocol, the Authentication Service can verify:
That the client login request is timely.
That the requesting client knows the user’s password.
It is therefore aware of, and can manage, persistent login failures for a given user,
eliminating passive password-guessing attacks.
From this point,the timestamps protocol continues as the DCE1.0 protocol described in
the next section, and then proceeds with Part 2 of the authentication procedure
(described below in the section entitled "How the Client Obtains a Privilege-Ticket-
Granting Ticket".)
23.2.1.1.3 The DCE1.0 Authentication Protocol
This section explains how the DCE Authentication Service uses the DCE1.0 protocol to
authenticate a user. This protocol exists in DCE1.1 solely to provide interoperability
between DCE1.1 servers and pre-DCE1.1 clients; only pre-DCE1.1 clients transmit
DCE1.0 login requests, and the Authentication Service returns DCE1.0 responses only
to pre-DCE1.1 clients.
The DCE1.0 protocol lacks the security features described above for the third-party and
timestamps protocols, and network transmissions using it are more susceptible to attacks
on the user’s TGT. You should keep this in mind when you are considering the inclusion
of pre-DCE1.1 clients in your DCE1.1 cell.
124245 Tandem Computers Incorporated 2311