On getting the subkey from EncAPRepPart

Greg Hudson ghudson at MIT.EDU
Thu Feb 6 00:35:43 EST 2014


On 02/05/2014 07:12 PM, Prakash Narayanaswamy wrote:
> We got the session key using the GSS API gss_inquire_sec_context_by_
> oid(GSS_C_INQ_SSPI_SESSION_*KEY)*
[...]
> Now for the question: Does the aforementioned API return the subkey from
> EncAPRepPart of the KRB_AP_REP message

Yes, it does return the acceptor subkey if there is one.

If you want to look at the GSS security context in more detail, you can
use gss_krb5_export_lucid_sec_context, which will let you know whether
the context is using the RFC 1964 or RFC 4121 protocol, and will let you
look at both the initiator subkey (or ticket session key if there wasn't
one) and the acceptor subkey.  But I don't think you should need to do
so except as a debugging aid.


More information about the Kerberos mailing list