HP CM8000 Practical IPsec Deployment for Printing and Imaging Devices - Page 136

IKE Authentication: Kerberos

Get HP CM8000 - Color Multifunction Printer PDF manuals and user guides View all HP CM8000 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 136 highlights

Figure 56 - TGS-REP Here we see the application server ticket is just an "opaque blob" to Vista as well. However, using the TGS/Vista session key, information about the application server ticket is also included so that Vista can communicate with the application server. Kerberos tries to use session keys and minimize the use of long-term keys (keys based upon the user's password) as much as possible. Kerberos also enforces a "need to know only" policy by using different keys to make parts of the packet that are intended for another endpoint "opaque blobs". The fact that the KDC has a copy of everyone's long term key and can generate session keys on the fly is what makes this type of exchange possible. IKE Authentication: Kerberos Kerberos authentication happens in IKE Phase 1. Let's look at a typical Kerberos exchange during IKE negotiation. Refer to Figure 57 - IKE and Kerberos. 136

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
136
Figure 56 – TGS-REP
Here we see the application server ticket is just an “opaque blob” to Vista as well.
However, using
the TGS/Vista session key, information about the application server ticket is also included so that
Vista can communicate with the application server.
Kerberos tries to use session keys and minimize the use of long-term keys (keys based upon the user’s
password) as much as possible.
Kerberos also enforces a “need to know only” policy by using
different keys to make parts of the packet that are intended for another endpoint “opaque blobs”.
The fact that the KDC has a copy of everyone’s long term key and can generate session keys on the
fly is what makes this type of exchange possible.
IKE Authentication: Kerberos
Kerberos authentication happens in IKE Phase 1.
Let’s look at a typical Kerberos exchange during
IKE negotiation.
Refer to Figure 57 – IKE and Kerberos.