signing-key for AD-KDC-ISSUED
Greg Hudson
ghudson at MIT.EDU
Tue Jun 3 10:52:04 EDT 2014
On 06/03/2014 04:29 AM, Peter Mogensen wrote:
> This seems to be conflicting. First it says the signing-key is the
> session-key, then it says it's the service-key used to encrypt the ticket.
I don't think AD-KDC-issued is really used much, but to the extent that
we have client code for it, we (MIT krb5) assume the ticket session key
is used to sign it. I don't see any Heimdal code for AD-KDC-issued
except for an #if 0 block, and I don't think Microsoft uses it for
anything since they have the PAC.
> Using the service-key seems to make more sense and it's also what I can
> see the draft for AD-CAMMAC uses for svc-verifier.
>From a security perspective, I don't think it really matters whether the
ticket session key or the service key is used. The former provides a
slightly more direct guarantee that the authdata originated with the
specific ticket it is included in, but anyone with the service key can
print up a complete ticket with a chosen session key, so it shouldn't
matter either way.
More information about the Kerberos
mailing list