Armor key negotiation in FAST

Greg Hudson ghudson at MIT.EDU
Mon Oct 29 10:04:22 EDT 2012

On 10/29/2012 04:26 AM, Simon.Jansen at wrote:
> 1. Obtain a TGT (called armor TGT) for the host principal without FAST armoring but with pre-authentication (encrypted timestamp)

It isn't really necessary to use preauth with a host key, but you
certainly can.

> 2. Extract the session key and the subkey from the armor TGT and build the armor key with the KRB-FX-CF2 function

You don't get the subkey from the armor TGT; you choose one randomly.

> 3. Use the built armor key for encrypting the AS conversation of the user principal and for ensuring the integrity


> Referring to the RFC standard on page 27 the KrbFastArmoredReq includes an armor field of the type KrbFastArmor that identifies the armor key. Does this field include the information which host principal was used to build the armor key or how does the KDC know which TGT was used for armoring the request?

The KrbFastArmor contains an RFC 4120 AP-REQ, which contains a Ticket
and an Authenticator.  The Ticket identifies the TGT used to armor the
request and contains the session key; the Authenticator (encrypted in
the session key) contains the subkey.  Those two pieces together allow
the KDC to construct the same armor key as the client did.

More information about the Kerberos mailing list