RFC 4121 & acceptor subkey use in MIC token generation
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Oct 25 12:16:15 EDT 2023
On Wed, Oct 25, 2023, 11:59 Nico Williams <nico at cryptonector.com> wrote:
> On Wed, Oct 25, 2023 at 08:51:29AM -0400, Ken Hornstein wrote:
> > I think we've lost the thread here; I do not think that any krb5
> > mechanism today ever asserts PROT_READY before GSS_S_COMPLETE, but I
> > would love to be proven wrong.
>
> That's the whole point of being able to use the initiator sub-session
> key: to allow the Kerberos GSS mechanism to assert PROT_READY on the
> first call to GSS_Init_sec_context() even when mutual auth is requested.
>
> Yes, RFC 4121 didn't say so, but it's the point.
>
Yeah; IIRC that was to allow cases where the initiator would send the first
context token in the same packet/message with early data, such as a MIC
binding the exchange to some channel. In retrospect, perhaps it has caused
more trouble than it was worth. We didn't use this in RFC 4462 userauth,
which doesn't use mutual anyway.
In any case, I think the behavior Ken is seeing is that the initiator
doesn't even assert a subkey -- it always uses the ticket session key. That
seems... unfortunate.
-- Jeff
>
More information about the Kerberos
mailing list