Armor key negotiation in FAST
venkyA
subramanian.av at hotmail.com
Fri Jan 17 13:23:46 EST 2014
Thanks for the quick reply. :-)
I really appreciate your help.
So in case of a TGS-REQ, the armor key is used to encrypt the copy of the req-body in the outer field. Would that be a correct statement?
Also when the krbFastresponse is generated for the TGS-REP which is encrypted with armor key, it would contain the
1) Copy of the session key from the service ticket encrypted with session key of the user's TGT
2) Client Nonce
3) KrbFastFinished ( containing the timestamp, client realm, client name, ticket checksum )
Date: Thu, 16 Jan 2014 14:46:22 -0800
From: ml-node+s996246n39350h66 at n3.nabble.com
To: subramanian.av at hotmail.com
Subject: Re: Armor key negotiation in FAST
On 01/16/2014 05:04 PM, venkyA wrote:
> The user's TGT that goes in the pa-tgs-req along with authenticator contains the subkey.
> This subkey & the session key from the user's tgt is used to get the armor key.
Yes and yes.
> This armor key is then used to encrypt the authenticator which is already encrypted by the session key?
No. Look at the definition of KrbFastArmoredReq in RFC 6113. It
contains a checksum of the AP-REQ in the armor key and an encrypted
KrbFastReq. The KrbFastReq contains options, padata, and the inner
request body. The padata within the KrbFastReq does not include the
PA-TGS-REQ.
________________________________________________
Kerberos mailing list [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
If you reply to this email, your message will be added to the discussion below:
http://kerberos.996246.n3.nabble.com/Armor-key-negotiation-in-FAST-tp22640p39350.html
To unsubscribe from Armor key negotiation in FAST, click here.
NAML
--
View this message in context: http://kerberos.996246.n3.nabble.com/Armor-key-negotiation-in-FAST-tp22640p39367.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list