Home/ Questions/Q 347079
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T11:14:14+00:00

I’m interested in creating a sort of hand-off authentication method, where there’s a client

  • 0

I’m interested in creating a sort of hand-off authentication method, where there’s a client and two servers (let’s call them Alice, Bob and Carmen Sandiego, respectively). Alice is a client (in a browser) somewhere on the ‘net, possibly behind a NAT that gives a different IP for outgoing requests to different addresses (I know there are some corporate NATs that do this, so just in case).

Alice logs onto Bob using standard challenge-response authentication. The goal is that Alice can now make a request to Carmen and be recognized as an authenticated user. I assume the best method would be to have Bob create some temporary passkey which is sent to both Alice and Carmen and Alice will send that passkey to Carmen. However, I’m no crypto expert and so I’m unsure exactly how to make this communication safe. That is, if there’s an eavesdropper on the Alice-Bob line that accesses the passkey, it could just send this straight to Carmen and get unauthorized access.

So does anyone have any ideas about how to do this? I’m assuming it involves a lot of shared secrets, random numbers, and hashing, but I’m not sure exactly what’s cryptographically sound.

Thanks,
Robert

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You might want to have a look at Kerberos. I don’t know if this protocol satisfies your needs, but at least it is worth a try.

    In particular with Kerberos a client can authenticat himself to a server1 that fore example can verify the clients password. If the client then wants to authenticate himself to a second server, he can ask for a ticket.
    A ticket is basically a short message that contains information such as the server ids, a timestamp and a session key K. This message is encrypted with a key that is shared by the two servers. The client receives the session key K and the ticket.
    With these two things he can now authenticate himself to the second server. I.e. the client sends the ticket to the second server, this server decrypts the ticket checks the ids timestamp etc. and gets the session key K. That is the client and the second server now share the key K, which they can use for the authentication.

    I’m aware that this description is too short to include all details. I hope it is not too confusing.

    • 0