Armor key negotiation in FAST
Greg Hudson
ghudson at MIT.EDU
Thu Jan 16 17:41:01 EST 2014
On 01/16/2014 05:04 PM, venkyA wrote:
> The user's TGT that goes in the pa-tgs-req along with authenticator contains the subkey.
> This subkey & the session key from the user's tgt is used to get the armor key.
Yes and yes.
> This armor key is then used to encrypt the authenticator which is already encrypted by the session key?
No. Look at the definition of KrbFastArmoredReq in RFC 6113. It
contains a checksum of the AP-REQ in the armor key and an encrypted
KrbFastReq. The KrbFastReq contains options, padata, and the inner
request body. The padata within the KrbFastReq does not include the
PA-TGS-REQ.
More information about the Kerberos
mailing list