hardware preauthentication in krb5-1.3-beta4
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Jul 14 14:05:15 EDT 2003
>I am attempting to implement CRYPTOCARD hardware preauthentication into
>the krb5-1.3-beta4 kdc.
>For the most part I have it working just fine, except for two minor issues.
>
>firstly, when I tested with GRAIL, I am presented a challenge and I
>enter my response
>and all goes well.
I don't believe GRAIL has been updated to the "new" hardware preauth
protocol (the one I have in draft form).
>I added a new type to the switch statement in sam_get_edata. It's type
>PA_SAM_TYPE_CRYPTOCARD
>as defined in k5-int.h. When I attempt to get my ticket, I am prompted
>to enter my password. After entering
>a good or bad password, I am prompted with my challenge. Why am I being
>prompted to enter a password?
>When using GRAIL I am not prompted to enter a password, I am simply
>presented a challenge and the response
>is expected.
Note that in the "new" hardware preauth protocol, the AS_REP is encrypted
with a mix of the card output and the user's long term key. You always
need to use a password with all of the preauth mechanisms (GRAIL might be
a special case, but GRAIL is sort of special in lots of ways :-) ).
There's not enough entropy on the card to use it as the only source
of keying material itself. Note that I have all of the backend stuff already
written for CRYPTOCard, if you want it (but it ain't pretty).
--Ken
More information about the krbdev
mailing list