.NET Developer Platform Security in-depth

March 5, 2002

Practical Aspects of Modern Cryptography

Client

Picture of a Kerberos Realm

Ticket Granting Server (TGS)

C è TGS: {AC,S}KC,TGS , {TC,TGS}KTGS

where Ac,s = {c, timestamp, opt. subkey}Kc,s

TGS è C: {TC,S}KS , {KC,S}KC,TGS


	Smart Card Logon - Kerberos v5 security provider implements the current IETF draft for PKINIT to support certificate-based authentication

	GINA/Winlogon - recognizes the card insertion and prompts the user for a PIN rather than a password

	The certificate is retrieved from the card and used to identify the user after a challenge-response requiring a private key operation on the smart card

	KDC - the Key Distribution Center looks up the user in the Active Directory based on the identity in the certificate

	The end result is a Kerberos Ticket Granting Ticket (TGT) that can be used to request access to network resources including accessing UNIX-based databases using delegation and referral.