Thanks for the reply Greg. Just to make sure I have understood it clearly.
The user's TGT that goes in the pa-tgs-req along with authenticator contains the subkey. This subkey & the session key from the user's tgt is used to get the armor key. This armor key is then used to encrypt the authenticator which is already encrypted by the session key? ________________________________ From: Greg Hudson [via Kerberos]<mailto:[email protected]> Sent: 17-01-2014 02:07 To: venkyA<mailto:[email protected]> Subject: Re: Armor key negotiation in FAST On 01/16/2014 02:46 PM, venkyA wrote: > The authenticator which is encrypted with session key would establish the > identity of the user. Why we need an armoring in a TGS-REQ and how it is > done? RFC 6113 section 5.4.2 specifies this in the second point of the bullet list. The authenticator in the PA-TGS-REQ is used to compute the armor key; this is called "implicit armor." The KrbFastArmoredReq pa-data contains omits the armor field, so it contains only a req-checksum and an enc-fast-req. The benefits of FAST for TGS are less significant than for AS, but it does tighten up some security properties of the TGS exchange, authenticating fields which are currently unauthenticated. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos _______________________________________________ If you reply to this email, your message will be added to the discussion below: http://kerberos.996246.n3.nabble.com/Armor-key-negotiation-in-FAST-tp22640p39328.html To unsubscribe from Armor key negotiation in FAST, visit http://kerberos.996246.n3.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=22640&code=c3VicmFtYW5pYW4uYXZAaG90bWFpbC5jb218MjI2NDB8LTgwMDU0MjAzNQ== -- View this message in context: http://kerberos.996246.n3.nabble.com/Armor-key-negotiation-in-FAST-tp22640p39347.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
