1. Technical Field
The present invention relates to an authentication agent apparatus, an authentication agent method, and an authentication agent program storage medium.
2. Related Art
In recent years, a system in which a directory server or the like is used and authentication or access control is performed through a network has come into widespread use. Here, a typical authentication mode of Kerberos known as one of such authentication techniques will be described.
Kerberos is a system in which logical configuration elements of a key distribution center KDC (Key Distribution Center), an authentication server AS (Authentication Server), and a ticket granting server TGS (Ticket Granting Server) are used to perform the authentication processing of a client and the communication permission processing (communication enabling processing) between a client and another client. The three logical configuration elements are generally integrated into one and are mounted, and hereinafter, these are collectively called simply an authentication server.
The authentication server has a key (called K0) owned by only the authentication server, and shares with a client a common key (called K1), which is generated from the seed of the password of the client. In addition, the authentication server shares with the other client (here, called an application server) a common key (called K2), which is generated from, as the seed of the key, the password of the application server.
When desiring to access (communicate with) the application server, first, the client issues an authentication request to the authentication server. When the authentication becomes successful, the authentication server generates a session key (called K3) and a TGT (Ticket Granting Ticket; also called an initial ticket). The TGT is data generated by encrypting the information, such as an IP (Internet Protocol) address of the client, K3, and an expiration date, with K0. The authentication server encrypts K3 and the TGT with K1 and transmits them to the client. The client performs decryption with k1 and extracts the TGT and K3.
Next, the client transmits an access permission request (access enabling request) to access the application server, a time stamp encrypted with K3, and the TGT to the authentication server. The authentication server decrypts the TGT with K0, and extracts the information such as the IP address of the client, K3, and the expiration date. After confirming that the expiration date does not expire, the authentication server decrypts the time stamp with K3 to verify that the requester is the client having a proper right, and grasps that the access permission to the application server is requested.
In the case where the access request from the client is permitted, the authentication server generates a session key (called K4) for communication between the client and the application server. Then, what (called a service ticket) is obtained by encrypting K4 with K2 and what is obtained by encrypting K4 with K3 are generated and are transmitted to the client.
The client decrypts the latter with K3, and extracts K4. The client uses the extracted K4 to encrypt the access request to the application server, and delivers this, together with the service ticket (K4 remaining encrypted with K2), to the application server. Since the application server can decrypt the service ticket with K2 and can extract K4, it is possible to verify that the client is permitted to communicate by the authentication server. The request from the client is decrypted with the extracted K4. In this way, safe communication using K4 is performed between the client and the application server.
As stated above, in the authentication system of Kerberos, when the client authentication is performed by the authentication server, the authentication server issues the TGT to the client. The TGT is the data issued by the authentication server to the authenticated client, and can be said to be authorization data to authorize the client to request the authentication server to permit (enable) access (communication) to another client. When the client uses the TGT to request the authentication server to permit the access to another client, the authentication server issues to the client the service ticket for accessing the other client. The service ticket is data issued by the authentication server to the client having requested the access, and can be said to be the enabling data to enable this client to access the other client as the access destination.
Incidentally, the authentication server may include multiple server elements that are mutually authenticated. In the case where the multiple server elements are mutually authenticated (in the case where a common key is owned), the reliable relation is linked so that clients of the different server elements can communicate with each other. This is a technique called cross-realm authentication (authentication is mutually performed across a realm (range on a network) relied on by an authentication server) and a realm relied on by another authentication server).
Various apparatuses can participate in the authentication system of Kerberos without limitation, so long as the apparatuses can process the TGT, the service ticket, and the like.