Armor key negotiation in FAST

Greg Hudson ghudson at MIT.EDU
Fri Nov 23 16:47:41 EST 2012

On 11/23/2012 04:14 AM, Simon.Jansen at wrote:
>> The privileged process needs to provide the sub-session key to the unprivileged process.  (If you reread that sentence, it says that three pieces of information are given, not two.)
> Oh, I'm sorry. You are right. I interpreted the sentence in a wrong way. 
> But the question is still there. If the unprivileged process builds the armor key it needs the ticket session key. How is ensured that the user process gets the key?

I think you're right; the privileged process needs to communicate either
the ticket session key (in which case the client can choose the
sub-session key and construct the authenticator) or the armor key.
That's not stated in the RFC text.

More information about the Kerberos mailing list