Armor key negotiation in FAST
Greg Hudson
ghudson at MIT.EDU
Fri Jan 17 13:58:23 EST 2014
On 01/17/2014 01:23 PM, venkyA wrote:
> So in case of a TGS-REQ, the armor key is used to encrypt the copy of the req-body in the outer field. Would that be a correct statement?
Yes.
> Also when the krbFastresponse is generated for the TGS-REP which is encrypted with armor key, it would contain the
>
> 1) Copy of the session key from the service ticket encrypted with session key of the user's TGT
> 2) Client Nonce
> 3) KrbFastFinished ( containing the timestamp, client realm, client name, ticket checksum )
No, yes, and yes.
The strengthen-key in KrbFastResponse is not a copy of the session key.
It is a randomly chosen key which is combined with the authenticator
subkey (from the request) to produce the reply key, which encrypts the
RFC 4120 EncTGSRepPart.
The session key is located inside the EncTGSRepPart, as it would be in a
normal RFC 4120 reply.
More information about the Kerberos
mailing list