Armor key negotiation in FAST
Venky A
subramanian.av at hotmail.com
Fri Jan 17 15:54:40 EST 2014
Greg,
Thanks so much for the help.
So for a AS-REP, would we combine the strengthen-key with the user-key to get a reply key with which we would encrypt the EncASRepPart?
At the receiving end, the user would get the strengthen-key by decrypting the KrbFastResponse by using the armorkey.
Then use the strengthen-key combined with user-key to generate the reply key to decrypt the EncASRepPart. Would that be correct to say?
> Date: Fri, 17 Jan 2014 13:58:23 -0500
> From: ghudson at MIT.EDU
> To: subramanian.av at hotmail.com; kerberos at mit.edu
> Subject: Re: Armor key negotiation in FAST
>
> On 01/17/2014 01:23 PM, venkyA wrote:
> > So in case of a TGS-REQ, the armor key is used to encrypt the copy of the req-body in the outer field. Would that be a correct statement?
>
> Yes.
>
> > Also when the krbFastresponse is generated for the TGS-REP which is encrypted with armor key, it would contain the
> >
> > 1) Copy of the session key from the service ticket encrypted with session key of the user's TGT
> > 2) Client Nonce
> > 3) KrbFastFinished ( containing the timestamp, client realm, client name, ticket checksum )
>
> No, yes, and yes.
>
> The strengthen-key in KrbFastResponse is not a copy of the session key.
> It is a randomly chosen key which is combined with the authenticator
> subkey (from the request) to produce the reply key, which encrypts the
> RFC 4120 EncTGSRepPart.
>
> The session key is located inside the EncTGSRepPart, as it would be in a
> normal RFC 4120 reply.
More information about the Kerberos
mailing list