|
Storing the Data. Once the user has successfully authenticated to the destination
directory, we use the transformation capabilities of the Authentication
Preprocessormodule in our architecture to extract the user's symmetric key, Kcv,
and password hash, H(pwdc). The password hash is used as an additional measure
of security against an attack where a malicious administrator may change
the user's password and, using the original authentication string, masquerade
as the user. While this step may seem redundant, it is necessary because of the
nature of LDAP clients. Many computer networking clients allow users to cache login information,
including the username. An attacker would need to have no knowledge of
the client secret key, Kcv, if he used a cached authentication string and a newlyreset
password.
|
