signing-key for AD-KDC-ISSUED
Peter Mogensen
apm at one.com
Tue Jun 3 11:43:57 EDT 2014
On 2014-06-03 16:52, Greg Hudson wrote:
> On 06/03/2014 04:29 AM, Peter Mogensen wrote:
>> This seems to be conflicting. First it says the signing-key is the
>> session-key, then it says it's the service-key used to encrypt the ticket.
>
> I don't think AD-KDC-issued is really used much,
Yes... but it's required for RFC6806 AD-LOGIN-ALIAS (allthough the rfc
doesn't explicitly say "MUST")
> From a security perspective, I don't think it really matters whether the
> ticket session key or the service key is used. The former provides a
> slightly more direct guarantee that the authdata originated with the
> specific ticket it is included in, but anyone with the service key can
> print up a complete ticket with a chosen session key, so it shouldn't
> matter either way.
I think the security reasoning behind using the session key is somewhat
more complex than using the service-key (like AD-CAMMAC).
Afterall... it requires some more thought to reason about when trying to
protect something from client tampering with a key you know the client
knows. :)
But on the other hand... using the service-key results in much more
complex client side validation of AD-KDC-ISSUED. ... since when you get
the krb5_ticket from krb5_rd_req() you ususally don't have the
service-key at hand, but need to find it in the keytab. Using the ticket
session-key is a lot easier.
/Peter
More information about the Kerberos
mailing list