3.7. User-to-User Authentication Exchanges
Overview
User-to-user authentication is a variant of the Kerberos protocol that allows two clients to authenticate to each other without requiring either to maintain a long-term key. This is particularly useful in peer-to-peer scenarios.
The Problem
In the standard Kerberos model:
- Servers maintain long-term keys
- Clients authenticate to servers using tickets encrypted in server's long-term key
- This doesn't work well for peer-to-peer authentication where neither peer wants to maintain a long-term key
The Solution
User-to-user authentication:
- One user obtains a TGT
- Second user requests a ticket for first user
- Ticket is encrypted in the session key from first user's TGT (not a long-term key)
- Second user presents this ticket to first user for authentication
Protocol Flow
- User A obtains TGT from AS
- User B sends TGS_REQ to TGS:
- Requests ticket for User A
- Includes ENC-TKT-IN-SKEY option
- Includes User A's TGT
- TGS issues ticket encrypted in User A's TGT session key
- User B presents ticket to User A
- User A can decrypt ticket using TGT session key
- Both users share the session key from the new ticket
Requirements
- ENC-TKT-IN-SKEY option must be set in TGS request
- First user's TGT must be provided to TGS
- First user must have TGT available to decrypt incoming ticket
Use Cases
- Peer-to-peer applications
- Workstation-to-workstation communication
- Scenarios where neither party maintains long-term keys
- Mobile or temporary services
Security Considerations
- Both users must have valid TGTs
- Session key from first user's TGT is used as encryption key
- Provides mutual authentication between peers
- No long-term key exposure for peer services
Reference
For complete technical details, refer to RFC 4120 Section 3.7.