SESAME

The Secure European System for Applications in a Multi-vendor Environment
(SESAME) project is a single sign-on technology that was developed to extend
Kerberos functionality and improves upon its weaknesses. SESAME uses symmetric and asymmetric cryptographic techniques to protect the exchange of
data and to authenticate subjects to network resources (objects). (Kerberos
is a strictly symmetric key-based technology.)
Kerberos uses tickets for authenticating subjects to objects; SESAME uses
privileged attribute certificates(PAC), which contain the subject’s identity, access
capabilities for the object, access time period, and lifetime of the PAC. The PAC
is digitally signed so that the object can validate that it came from the trusted authentication server, which is referred to as the privilege attribute server (PAS).
The PAS holds a similar role as the KDC within Kerberos. After a user successfully authenticates to the authentication service (AS), she is presented with a token
to give to the PAS. The PAS then creates a PAC for the user to present to the resource
she is trying to access