[krbdev.mit.edu #8503] Acces to AS REP keys to decrypt MS-PAC's PAC_CREDENTIAL_DATA
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Thu Sep 29 16:31:34 EDT 2016
>>>>> "Simo" == Simo Sorce via RT <rt-comment at krbdev.mit.edu> writes:
Simo> When a client receive the AS_REP though, the MS-PAC is not
Simo> immediately available, and will be available only after a
Simo> subsequent validation step's TGS reply.
Simo> In order to be able to decrypt this PAC buffer the key used to
Simo> decode the AS reply needs to be made available to the client
Simo> on request.
Wouldn't it be better to do the decryption immediately ansd hold things
until after the validation?
The AS reply key can be somewhat to very sensitive.
More information about the krb5-bugs
mailing list