Java/C# Kerberos inter-op possible?

views:

116

answers:

+1 Q:

Java/C# Kerberos inter-op possible?

Hi there...

I have implemented a Kerberos server/client using sockets in Java, where the client sends his service-TGT to the server, and the server knows the client is authentic.

My main concern is the snooping 'man-in-the-middle' attack. Someone could capture the TGT, and pretend to be the client.

In a pure Java implementation, this is no problem, as further communication is encrypted with the service session keys (GSSContext.wrap()/GSSContext.unwrap()), which the snooper does not have.

But the client app needs to be re-written in C#.

I figure my two options for keeping communication encrypted are:

Write my own wrap() and unwrap() methods in C#
Use SSL/TLS.

Is option 1 possible, before I look into SSL as an option?

+2 A:

Option 1 involves some heavy code porting which you may or not may have time to do. Option 2 sounds good.

There is option 3 which depends on your constraints, use a private encrypted TCP channel, which should be faster than SSL/TLS, but as I said may not be applicable. It could use symmetric encryption, having initialized by the session keys (which are secret)

_NT 2009-10-20 14:56:42

I've got SSL to work, because i figured option 1 would be painful. I can't really use a private key scenario, because the client app could be decompiled to work it out. SSL/TLS seems like the way to go. Thanks

djb 2009-10-21 12:14:44

Great to have been of help. Just to clarify, I meant that the symmetric encryption algorithm could use the session key as its secret. This would not be hardcoded and would change on every session.

_NT 2009-10-21 13:38:41

ansaurus

tags:

views:

answers:

Java/C# Kerberos inter-op possible?

related questions