Armor key negotiation in FAST

Greg Hudson ghudson at MIT.EDU
Mon Oct 29 11:41:58 EDT 2012

On 10/29/2012 11:19 AM, Simon.Jansen at wrote:
> So the security of the whole tunnel is based on the strength of the long-term host key.


> Theoretically an attacker would be able to obtain a host TGT that is encrypted with the host key because pre-authentication is in most cases not required. On that TGT he can start offline attacks to get the key that was used for encryption. If he gets the key he can decrypt other requests and is able to get the session keys of other conversations and with the session key he can get the subkey from the authenticator. Finally the attacker has all information needed to rebuild the armor key and though is able to decrypt FAST tunneled messages. Remember everything is theoretically regardless of the time factor that is needed to find the correct host key.

That sounds correct.  An attacker who can mount a successful offline
attack against a randomly chosen key would probably start with the
realm's TGT key, of course.

> Is there a special reason why a complete new key is created for armoring the requests? Why isn't just the session key used?

So that each FAST conversation uses a different armor key, even if it
uses the same TGT for armor.  That prevents an attacker from replaying a
KDC response from one conversation into another.  See the second-to-last
paragraph of section 5.4.

More information about the Kerberos mailing list