PreviousNext

The Shared-Secret Authentication Protocol

The registry service maintains a database, which contains an entry representing every principal, identifying the principal by its name and a secret key bound to it. It is this binding of the principal identity to a secret key shared with the registry that is at the root of the DCE shared-secret authentication protocols, as will be seen in this topic. In the case of an interactive principal, the secret key is derived from the user's password (at login time). In order to establish its identity as a principal, a noninteractive principal, such as a server or computer, must store its secret key in a data file or hardware device, or rely on a system administrator to enter it. The secret keys of servers are considered to be stronger than those of users/clients, because they are "truly random'' (as opposed to being derived from a password, which greatly restricts their randomness).

DCE shared-secret authentication implements an extended version of the Kerberos Version 5 system as its authentication protocol. Namely, the part of the DCE security server that corresponds to Kerberos is the KDS. The other parts (registry service and privilege service) do not occur in Kerberos. The Kerberos system was originally developed at the Massachusetts Institute of Technology as part of Project Athena, and provides a trustworthy, shared-secret authentication system. The walkthrough of the authentication protocol in this topic describes the protocol in general terms.

Note: The KDS is an exceptional principal in that it does not share its key with any other principal. KDS surrogates (see Intercell Authentication) are also exceptional in that they are not autonomous participants in authenticated communications, as other kinds of principals are.

In the theory of shared-secret authentication all principals are initially considered to be untrusted, except for those in the trusted computing base itself (KDS, registry service, privilege service). A security-sensitive application must make use of the trusted computing base to convince itself of the level of trust it may place in all other principals. How that is done is the subject of this topic.