hardware preauthentication in krb5-1.3-beta4

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Jul 14 14:05:15 EDT 2003

>I am attempting to implement CRYPTOCARD hardware preauthentication into 
>the krb5-1.3-beta4 kdc.
>For the most part I have it working just fine, except for two minor issues.
>firstly, when I tested with GRAIL, I am presented a challenge and I 
>enter my response
>and all goes well.

I don't believe GRAIL has been updated to the "new" hardware preauth
protocol (the one I have in draft form).

>I added a new type to the switch statement in sam_get_edata. It's type 
>as defined in k5-int.h. When I attempt to get my ticket, I am prompted 
>to enter my password. After entering
>a good or bad password, I am prompted with my challenge. Why am I being 
>prompted to enter a password?
>When using GRAIL I am not prompted to enter a password, I am simply 
>presented a challenge and the response
>is expected.

Note that in the "new" hardware preauth protocol, the AS_REP is encrypted
with a mix of the card output and the user's long term key.  You always
need to use a password with all of the preauth mechanisms (GRAIL might be
a special case, but GRAIL is sort of special in lots of ways :-) ).
There's not enough entropy on the card to use it as the only source
of keying material itself.  Note that I have all of the backend stuff already
written for CRYPTOCard, if you want it (but it ain't pretty).


More information about the krbdev mailing list