Thanks for the quick reply. :-) I really appreciate your help. So in case of a TGS-REQ, the armor key is used to encrypt the copy of the req-body in the outer field. Would that be a correct statement? Also when the krbFastresponse is generated for the TGS-REP which is encrypted with armor key, it would contain the 1) Copy of the session key from the service ticket encrypted with session key of the user's TGT 2) Client Nonce 3) KrbFastFinished ( containing the timestamp, client realm, client name, ticket checksum )
Date: Thu, 16 Jan 2014 14:46:22 -0800 From: [email protected] To: [email protected] Subject: Re: Armor key negotiation in FAST On 01/16/2014 05:04 PM, venkyA wrote: > The user's TGT that goes in the pa-tgs-req along with authenticator contains > the subkey. > This subkey & the session key from the user's tgt is used to get the armor > key. Yes and yes. > This armor key is then used to encrypt the authenticator which is already > encrypted by the session key? No. Look at the definition of KrbFastArmoredReq in RFC 6113. It contains a checksum of the AP-REQ in the armor key and an encrypted KrbFastReq. The KrbFastReq contains options, padata, and the inner request body. The padata within the KrbFastReq does not include the PA-TGS-REQ. ________________________________________________ Kerberos mailing list [hidden email] https://mailman.mit.edu/mailman/listinfo/kerberos If you reply to this email, your message will be added to the discussion below: http://kerberos.996246.n3.nabble.com/Armor-key-negotiation-in-FAST-tp22640p39350.html To unsubscribe from Armor key negotiation in FAST, click here. NAML -- View this message in context: http://kerberos.996246.n3.nabble.com/Armor-key-negotiation-in-FAST-tp22640p39367.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
