def process_request(self, request):
http_service = request[0]
tgt = request[1]
authenticator = request[2]
nonce = request[3]
# check http service validity
tgt = decrypt(tgt, self.database.key, self.database.tgt_nonce)
authenticator = decrypt(authenticator, self.database.tgs_session_key,
nonce)
# check authenticator validity
if authenticator[0] != tgt[0]:
raise Exception("Invalid authenticator")
# check lifetime validity
t1 = datetime.fromisoformat(tgt[3].decode())
t2 = datetime.fromisoformat(authenticator[1].decode())
if (t2 - t1).total_seconds() > 30 * 5:
raise Exception("Ticket has expired")
self.database.http_session_key = create_random_16_bytes()
http_ticket = [
http_service, tgt[0], tgt[1],
datetime.now(), tgt[2], self.database.http_session_key
]
self.database.http_nonce = create_random_16_bytes()
enc_ticket = encrypt(http_ticket, self.database.http_key,
self.database.http_nonce)
enc_session_key = encrypt(self.database.http_session_key,
self.database.tgs_session_key,
self.database.http_nonce)
return [enc_ticket, enc_session_key, self.database.http_nonce]
def process_request(self, request):
"""
Processes authentication request.
If the request is valid, returns encrypted TGT and TGT session key
"""
# check if a user is valid
if request[0] not in self.database.users:
raise KeyError("Invalid User")
# client ID, client IP, ticket lifetime, time, TGS session key
self.database.tgs_session_key = create_random_16_bytes()
tgt = [
request[0], request[1], request[2],
datetime.now(), self.database.tgs_session_key
]
self.database.tgt_nonce = create_random_16_bytes()
enc_tgt = encrypt(tgt, self.database.key, self.database.tgt_nonce)
enc_session_key = encrypt(self.database.tgs_session_key,
self.database.users[request[0]],
self.database.tgt_nonce)
return (enc_tgt, enc_session_key, self.database.tgt_nonce
) # encrypt tgs session key with client secret
def __init__(self):
"""
Creates the database and the two components of the trusted server, along with their secret key
"""
self.database = KDC()
self.auth = Auth_Server(self.database)
self.TGS = TGS(self.database)
self.database.key = create_random_16_bytes() #secret server key
self.database.http_key = create_random_16_bytes()
def get_HTTP_request(self, http_service_type, lifetime):
"""
Returns the HTTP request which will be sent to TGT server. This includes the service,
the TGT, and an authenticator. Encrypted with tgs session key
"""
self.service_request = http_service_type
self.create_authenticator()
self.nonce = create_random_16_bytes()
return [http_service_type, self.tgt, encrypt(self.current_authenticator,self.tgs_session_key, self.nonce), self.nonce]
def contact_HTTP_server(self):
"""
First message to the HTTP server. Includes an authenticator and the http ticket
returned by the TGT. Encrypted with HTTP session key
"""
self.create_authenticator()
self.nonce = create_random_16_bytes()
enc_auth = encrypt(self.current_authenticator, self.http_session_key, self.nonce)
return [ enc_auth, self.http_ticket, self.nonce]
def process_client_request(self, client_request):
""" Verifies that the client request is valid. Extracts https session key"""
client_nonce = client_request[-1]
http_ticket = decrypt(client_request[1], self.secret_key, self.nonce)
self.session_key = http_ticket[-1]
client_authenticator = decrypt(client_request[0], self.session_key,
client_nonce)
if (client_authenticator[0] not in self.past_authenticators):
# add to past authenticators
if (self.verify_ticket(client_authenticator, http_ticket)):
self.create_authenticator()
nonce = create_random_16_bytes()
enc_auth = encrypt(self.current_authenticator,
self.session_key, nonce)
return [enc_auth, nonce]
return None