Encrypting krb_rced messages in GSSAPI tokens
Sam Hartman
hartmans at MIT.EDU
Tue Apr 30 14:50:01 EDT 2002
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at ubsw.com> writes:
Nicolas> Yeah, you could make the auth context constructor
Nicolas> generate the subkey. Then the app could use that key
Nicolas> before calling mk_req_extended(). It's just as well, and
Nicolas> probably easier than the callback. Easier should win,
Nicolas> right?
It's looking like the callback may be easier because you don't know at
auth_context initialization time whether you want a subkey or not.
Also, you probably want to fold the session key into your PRNG state
if you end up getting a new ticket from the KDC in the mk_req call.
More information about the krbdev
mailing list