[krbdev.mit.edu #8503] Acces to AS REP keys to decrypt MS-PAC's PAC_CREDENTIAL_DATA
Simo Sorce via RT
rt-comment at krbdev.mit.edu
Thu Sep 29 16:38:37 EDT 2016
On Thu, 2016-09-29 at 16:31 -0400, Sam Hartman via RT wrote:
> >>>>> "Simo" == Simo Sorce via RT <rt-comment at krbdev.mit.edu> writes:
>
> Simo> When a client receive the AS_REP though, the MS-PAC is not
> Simo> immediately available, and will be available only after a
> Simo> subsequent validation step's TGS reply.
>
> Simo> In order to be able to decrypt this PAC buffer the key used to
> Simo> decode the AS reply needs to be made available to the client
> Simo> on request.
>
> Wouldn't it be better to do the decryption immediately ansd hold things
> until after the validation?
> The AS reply key can be somewhat to very sensitive.
You do not have access to the MS-PAC (it's encrypted with the TGT key)
until it is handed back to you in the ticket used for validation.
This mechanism is only used for pre-authentication types that do not use
passwords as long term keys, currently only with PKINIT.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krb5-bugs
mailing list