[kitten] Verified authorization data
Simo Sorce
simo at redhat.com
Thu Jun 12 08:47:12 EDT 2014
On Thu, 2014-06-12 at 09:12 +0200, Peter Mogensen wrote:
> On 2014-06-11 19:08, Simo Sorce wrote:
> >> Still... the whole EncTicketPart has to be constructed and DER-encoded
> >> twice to add a kdc-verifier.
> >
> > That is done to bind the CAMMAC to a specific ticket, it is an
> > additional protection that you probably want for your use case too.
>
> Sure... any solution to the S4U2proxy use case would require protecting
> the ticket and attached authdata, which the KDC has to trust against
> service tampering.
Sorry, no, the binding to the specific ticket is not a requirement for
s4u2proxy. The only requirement there is the KDC MAC which could be done
the same way as the SVC MAC.
> As the cammac draft says:
> "...assuring the KDC that a malicious service has not substituted a
> mismatched CAMMAC received from another ticket."
>
> But if the kdc-verifier was placed out side the EncTicketPart, then that
> would also provide that protection and not require computing the ticket
> twice - right?
Exactly, the computing of EncTicketPart is used to bind the CAMMAC to a
specific TGT, it is an additional feature that basically allows you to
bind service tickets back to the original TGT and back to the original
AS Request (assuming you keep track of that information via some sort of
auditing logs and perhaps a new AD with a session number).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list