Encrypting krb_rced messages in GSSAPI tokens

Sam Hartman hartmans at MIT.EDU
Tue Apr 30 14:50:01 EDT 2002

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at ubsw.com> writes:

    Nicolas> Yeah, you could make the auth context constructor
    Nicolas> generate the subkey. Then the app could use that key
    Nicolas> before calling mk_req_extended(). It's just as well, and
    Nicolas> probably easier than the callback. Easier should win,
    Nicolas> right?

It's looking like the callback may be easier because you don't know at
auth_context initialization time whether you want a subkey or not.
Also, you probably want to fold the session key into your PRNG state
if you end up getting a new ticket from the KDC in the mk_req call.

More information about the krbdev mailing list