Issue in generating Authenticator Data in AP_REQ

Greg Hudson ghudson at MIT.EDU
Sat Aug 18 11:08:08 EDT 2012

On 08/18/2012 08:37 AM, Sankar Das wrote
> 1. I am not sending "checksum" field as it is optional in Authenticator
> data. Does KDC always expect it?

Yes.  RFC 4120 requires that a TGS request include a checksum of the
kdc-req-body in the authenticator, to prevent authenticators from being
replayed in different TGS requests.  Since you're not including a
subkey, the checksum should be computed using the TGS session key with a
key usage value of 6.

> 2. I am using OpenSSL encryption functions to generate the
> Authenticator. Is there any known issue in it? (Note: I am using
> enc-part of ticket received in AS_REP as encryption key and
> concatenation of principal's realm and name as salt string).

I'm not aware of any specific issues in the OpenSSL encryption
functions, but when RFC 4120 talks about using encryption, it means
doing RFC 3961 authenticated encryption.

More information about the krbdev mailing list