March 5, 2002
Practical Aspects of Modern Cryptography
20
Client
Picture of a Kerberos Realm
Server
C è  S: {AC,S}KC,S , {TC,S}KS
where Ac,s = {c, timestamp, opt. subkey}Kc,s
S è C: {timestamp, opt. subkey}Kc,s
Smart Card Logon - Kerberos v5 security provider implements the current IETF draft for PKINIT to support certificate-based authentication

GINA/Winlogon - recognizes the card insertion and prompts the user for a PIN rather than a password

The certificate is retrieved from the card and used to identify the user after a challenge-response requiring a private key operation on the smart card

KDC - the Key Distribution Center looks up the user in the Active Directory based on the identity in the certificate

The end  result is a Kerberos Ticket Granting Ticket (TGT) that can be used to request access to network resources including accessing UNIX-based databases using delegation and referral.