Armor key negotiation in FAST

Greg Hudson ghudson at MIT.EDU
Thu Jan 16 15:32:22 EST 2014


On 01/16/2014 02:46 PM, venkyA wrote:
> The authenticator which is encrypted with session key would establish the
> identity of the user. Why we need an armoring in a TGS-REQ and how it is
> done?

RFC 6113 section 5.4.2 specifies this in the second point of the bullet
list.  The authenticator in the PA-TGS-REQ is used to compute the armor
key; this is called "implicit armor."  The KrbFastArmoredReq pa-data
contains omits the armor field, so it contains only a req-checksum and
an enc-fast-req.

The benefits of FAST for TGS are less significant than for AS, but it
does tighten up some security properties of the TGS exchange,
authenticating fields which are currently unauthenticated.


More information about the Kerberos mailing list