On 10/29/2012 04:26 AM, [email protected] wrote: > 1. Obtain a TGT (called armor TGT) for the host principal without FAST > armoring but with pre-authentication (encrypted timestamp)
It isn't really necessary to use preauth with a host key, but you certainly can. > 2. Extract the session key and the subkey from the armor TGT and build the > armor key with the KRB-FX-CF2 function You don't get the subkey from the armor TGT; you choose one randomly. > 3. Use the built armor key for encrypting the AS conversation of the user > principal and for ensuring the integrity Yes. > Referring to the RFC standard on page 27 the KrbFastArmoredReq includes an > armor field of the type KrbFastArmor that identifies the armor key. Does this > field include the information which host principal was used to build the > armor key or how does the KDC know which TGT was used for armoring the > request? The KrbFastArmor contains an RFC 4120 AP-REQ, which contains a Ticket and an Authenticator. The Ticket identifies the TGT used to armor the request and contains the session key; the Authenticator (encrypted in the session key) contains the subkey. Those two pieces together allow the KDC to construct the same armor key as the client did. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
