On 01/17/2014 03:54 PM, Venky A wrote: > So for a AS-REP, would we combine the strengthen-key with the user-key > to get a reply key with which we would encrypt the EncASRepPart?
Typically yes. If a preauthentication mechanism has altered the reply key, then strengthen-key would be combined with whatever the new reply key is. But in a typical encrypted challenge scenario, the strength-key would be combined with the long-term key to produce the reply key. > At the receiving end, the user would get the strengthen-key by > decrypting the KrbFastResponse by using the armorkey. > > Then use the strengthen-key combined with user-key to generate the reply > key to decrypt the EncASRepPart. Would that be correct to say? Correct, with the same caveat. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
