signing-key for AD-KDC-ISSUED

Greg Hudson ghudson at MIT.EDU
Tue Jun 3 10:52:04 EDT 2014


On 06/03/2014 04:29 AM, Peter Mogensen wrote:
> This seems to be conflicting. First it says the signing-key is the 
> session-key, then it says it's the service-key used to encrypt the ticket.

I don't think AD-KDC-issued is really used much, but to the extent that
we have client code for it, we (MIT krb5) assume the ticket session key
is used to sign it.  I don't see any Heimdal code for AD-KDC-issued
except for an #if 0 block, and I don't think Microsoft uses it for
anything since they have the PAC.

> Using the service-key seems to make more sense and it's also what I can 
> see the draft for AD-CAMMAC uses for svc-verifier.

>From a security perspective, I don't think it really matters whether the
ticket session key or the service key is used.  The former provides a
slightly more direct guarantee that the authdata originated with the
specific ticket it is included in, but anyone with the service key can
print up a complete ticket with a chosen session key, so it shouldn't
matter either way.


More information about the Kerberos mailing list