Decrypting KRB_CRED in AP_REQ

Weijun Wang at
Thu Mar 31 00:17:26 EDT 2011

Hi All

I have a question regarding the decryption of KRB_CRED inside an 
AP_REQ's authenticator. According to RFC 4121 4.1.1 [1]:

    ... The EncryptedData
    field of the KRB_CRED message [RFC4120] MUST be encrypted in the
    session key of the ticket used to authenticate the context.

Here, it seems the decrypt key should be the session key of the service 
ticket. What shall I do if the authenticator has a subkey?

The subkey, as specified in RFC 4120 5.5.1 [2]:

       This field contains the client's choice for an encryption key to
       be used to protect this specific application session.  Unless an
       application specifies otherwise, if this field is left out, the
       session key from the ticket will be used.

So, does the case in RFC 4121 4.1.1 I quoted above belongs to "this 
specific application session"?



More information about the krbdev mailing list