Armor key negotiation in FAST
Greg Hudson
ghudson at MIT.EDU
Fri Jan 17 15:57:46 EST 2014
On 01/17/2014 03:54 PM, Venky A wrote:
> So for a AS-REP, would we combine the strengthen-key with the user-key
> to get a reply key with which we would encrypt the EncASRepPart?
Typically yes. If a preauthentication mechanism has altered the reply
key, then strengthen-key would be combined with whatever the new reply
key is. But in a typical encrypted challenge scenario, the strength-key
would be combined with the long-term key to produce the reply key.
> At the receiving end, the user would get the strengthen-key by
> decrypting the KrbFastResponse by using the armorkey.
>
> Then use the strengthen-key combined with user-key to generate the reply
> key to decrypt the EncASRepPart. Would that be correct to say?
Correct, with the same caveat.
More information about the Kerberos
mailing list