Armor key negotiation in FAST

Venky A subramanian.av at hotmail.com
Fri Jan 17 15:54:40 EST 2014


Greg,
 
Thanks so much for the help.
 
So for a AS-REP, would we combine the strengthen-key with the user-key to get a reply key with which we would encrypt the EncASRepPart?
 
At the receiving end, the user would get the strengthen-key by decrypting the KrbFastResponse by using the armorkey.
 
Then use the strengthen-key combined with user-key to generate the reply key to decrypt the EncASRepPart. Would that be correct to say?
 
 

 
> Date: Fri, 17 Jan 2014 13:58:23 -0500
> From: ghudson at MIT.EDU
> To: subramanian.av at hotmail.com; kerberos at mit.edu
> Subject: Re: Armor key negotiation in FAST
> 
> On 01/17/2014 01:23 PM, venkyA wrote:
> > So in case of a TGS-REQ, the armor key is used to encrypt the copy of the req-body in the outer field. Would that be a correct statement?
> 
> Yes.
> 
> > Also when the krbFastresponse is generated for the TGS-REP which is encrypted with armor key, it would contain the 
> >  
> > 1) Copy of the session key from the service ticket encrypted with session key of the user's TGT 
> > 2) Client Nonce
> > 3) KrbFastFinished ( containing the timestamp, client realm, client name, ticket checksum )
> 
> No, yes, and yes.
> 
> The strengthen-key in KrbFastResponse is not a copy of the session key.
>  It is a randomly chosen key which is combined with the authenticator
> subkey (from the request) to produce the reply key, which encrypts the
> RFC 4120 EncTGSRepPart.
> 
> The session key is located inside the EncTGSRepPart, as it would be in a
> normal RFC 4120 reply.
 		 	   		  


More information about the Kerberos mailing list