Decrypting KRB_CRED in AP_REQ
weijun.wang at oracle.com
Thu Mar 31 00:17:26 EDT 2011
I have a question regarding the decryption of KRB_CRED inside an
AP_REQ's authenticator. According to RFC 4121 4.1.1 :
... The EncryptedData
field of the KRB_CRED message [RFC4120] MUST be encrypted in the
session key of the ticket used to authenticate the context.
Here, it seems the decrypt key should be the session key of the service
ticket. What shall I do if the authenticator has a subkey?
The subkey, as specified in RFC 4120 5.5.1 :
This field contains the client's choice for an encryption key to
be used to protect this specific application session. Unless an
application specifies otherwise, if this field is left out, the
session key from the ticket will be used.
So, does the case in RFC 4121 4.1.1 I quoted above belongs to "this
specific application session"?
More information about the krbdev