Legacy Document

Inside Macintosh: Networking /

Chapter 5 - AppleTalk Data Stream Protocol (ADSP) / About ASDSP

The Authentication Process

This section describes the general strategy of the authentication process. Understanding what this process entails can be helpful in understanding the meaning and use of the parameters that you get from the authentication server and pass to ASDSP.

The initiator and the recipient each have a private key. The private key, also called a user key or client key, is a number that is derived from a password; the number is used by an encryption algorithm.

The initiator calls the authentication server to request information and credentials
to be used by ASDSP in establishing an authenticated session. The credentials contain information that is required in order to prove that the users of both ends of the connection are who they claim to be. The user of the initiator ASDSP client application gives the authentication server their own name or identity and that of the user of the recipient ASDSP client application.

The authentication server returns to the initiator a unique session key that the server generates exclusively for use by the authentication process for this session; the session key is valid for a limited time only. The authentication server also returns to the initiator a set of credentials that are encrypted in the recipient's private key. The credentials contain the session key also and the initiator's identity, as well as the identity of an intermediary or proxy, if one was used to obtain the credentials from the authentica-
tion server.

The initiator passes a block of data containing the credentials to ASDSP, and ASDSP
on the initiator's end sends the credentials to ASDSP on the recipient's end. The latter decrypts the entire credentials block, obtaining the session key from the credentials block. ASDSP on the recipient's end then uses the session key in the authentication process that it performs on behalf of the recipient. ASDSP has the recipient's private
key, which it uses to decrypt the credentials. If the authentication process succeeds, ASDSP returns all of the credentials to the recipient.

Because the initiator and ASDSP on behalf of the recipient must each decrypt the session key using their own private key, they can each be convinced that the other is who they claim to be if they can conclude that the other knows the session key. The need for this conviction begins the challenge-and-reply authentication process that enables each end to confirm that the other end also knows the unique session key.

ASDSP performs the challenge-and-reply process on behalf of the client applications in
a manner that is transparent to the applications. If the authentication process completes successfully, ASDSP opens a secure connection; if the authentication process fails,
ASDSP returns an error code to both the initiator and the recipient and tears down the connection that was established to perform the authentication process. To learn more about the challenge-and-reply process, see the chapter "Authentication Manager" in Inside Macintosh: AOCE Application Programming Interfaces.