def process_request(self, request): http_service = request[0] tgt = request[1] authenticator = request[2] nonce = request[3] # check http service validity tgt = decrypt(tgt, self.database.key, self.database.tgt_nonce) authenticator = decrypt(authenticator, self.database.tgs_session_key, nonce) # check authenticator validity if authenticator[0] != tgt[0]: raise Exception("Invalid authenticator") # check lifetime validity t1 = datetime.fromisoformat(tgt[3].decode()) t2 = datetime.fromisoformat(authenticator[1].decode()) if (t2 - t1).total_seconds() > 30 * 5: raise Exception("Ticket has expired") self.database.http_session_key = create_random_16_bytes() http_ticket = [ http_service, tgt[0], tgt[1], datetime.now(), tgt[2], self.database.http_session_key ] self.database.http_nonce = create_random_16_bytes() enc_ticket = encrypt(http_ticket, self.database.http_key, self.database.http_nonce) enc_session_key = encrypt(self.database.http_session_key, self.database.tgs_session_key, self.database.http_nonce) return [enc_ticket, enc_session_key, self.database.http_nonce]
def process_request(self, request): """ Processes authentication request. If the request is valid, returns encrypted TGT and TGT session key """ # check if a user is valid if request[0] not in self.database.users: raise KeyError("Invalid User") # client ID, client IP, ticket lifetime, time, TGS session key self.database.tgs_session_key = create_random_16_bytes() tgt = [ request[0], request[1], request[2], datetime.now(), self.database.tgs_session_key ] self.database.tgt_nonce = create_random_16_bytes() enc_tgt = encrypt(tgt, self.database.key, self.database.tgt_nonce) enc_session_key = encrypt(self.database.tgs_session_key, self.database.users[request[0]], self.database.tgt_nonce) return (enc_tgt, enc_session_key, self.database.tgt_nonce ) # encrypt tgs session key with client secret
def __init__(self): """ Creates the database and the two components of the trusted server, along with their secret key """ self.database = KDC() self.auth = Auth_Server(self.database) self.TGS = TGS(self.database) self.database.key = create_random_16_bytes() #secret server key self.database.http_key = create_random_16_bytes()
def get_HTTP_request(self, http_service_type, lifetime): """ Returns the HTTP request which will be sent to TGT server. This includes the service, the TGT, and an authenticator. Encrypted with tgs session key """ self.service_request = http_service_type self.create_authenticator() self.nonce = create_random_16_bytes() return [http_service_type, self.tgt, encrypt(self.current_authenticator,self.tgs_session_key, self.nonce), self.nonce]
def contact_HTTP_server(self): """ First message to the HTTP server. Includes an authenticator and the http ticket returned by the TGT. Encrypted with HTTP session key """ self.create_authenticator() self.nonce = create_random_16_bytes() enc_auth = encrypt(self.current_authenticator, self.http_session_key, self.nonce) return [ enc_auth, self.http_ticket, self.nonce]
def process_client_request(self, client_request): """ Verifies that the client request is valid. Extracts https session key""" client_nonce = client_request[-1] http_ticket = decrypt(client_request[1], self.secret_key, self.nonce) self.session_key = http_ticket[-1] client_authenticator = decrypt(client_request[0], self.session_key, client_nonce) if (client_authenticator[0] not in self.past_authenticators): # add to past authenticators if (self.verify_ticket(client_authenticator, http_ticket)): self.create_authenticator() nonce = create_random_16_bytes() enc_auth = encrypt(self.current_authenticator, self.session_key, nonce) return [enc_auth, nonce] return None