Armor key negotiation in FAST

venkyA subramanian.av at hotmail.com
Thu Jan 16 17:04:42 EST 2014


Thanks for the reply Greg.

Just to make sure I have understood it clearly.

The user's TGT that goes in the pa-tgs-req along with authenticator contains the subkey.

This subkey & the session key from the user's tgt is used to get the armor key.

This armor key is then used to encrypt the authenticator which is already encrypted by the session key?
________________________________
From: Greg Hudson [via Kerberos]<mailto:ml-node+s996246n39328h84 at n3.nabble.com>
Sent: ‎17-‎01-‎2014 02:07
To: venkyA<mailto:subramanian.av at hotmail.com>
Subject: Re: Armor key negotiation in FAST



On 01/16/2014 02:46 PM, venkyA wrote:
> The authenticator which is encrypted with session key would establish the
> identity of the user. Why we need an armoring in a TGS-REQ and how it is
> done?

RFC 6113 section 5.4.2 specifies this in the second point of the bullet
list.  The authenticator in the PA-TGS-REQ is used to compute the armor
key; this is called "implicit armor."  The KrbFastArmoredReq pa-data
contains omits the armor field, so it contains only a req-checksum and
an enc-fast-req.

The benefits of FAST for TGS are less significant than for AS, but it
does tighten up some security properties of the TGS exchange,
authenticating fields which are currently unauthenticated.
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




_______________________________________________
If you reply to this email, your message will be added to the discussion below:
http://kerberos.996246.n3.nabble.com/Armor-key-negotiation-in-FAST-tp22640p39328.html

To unsubscribe from Armor key negotiation in FAST, visit http://kerberos.996246.n3.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=22640&code=c3VicmFtYW5pYW4uYXZAaG90bWFpbC5jb218MjI2NDB8LTgwMDU0MjAzNQ==




--
View this message in context: http://kerberos.996246.n3.nabble.com/Armor-key-negotiation-in-FAST-tp22640p39347.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


More information about the Kerberos mailing list