Greg, Thanks so much for the help. So for a AS-REP, would we combine the strengthen-key with the user-key to get a reply key with which we would encrypt the EncASRepPart? At the receiving end, the user would get the strengthen-key by decrypting the KrbFastResponse by using the armorkey. Then use the strengthen-key combined with user-key to generate the reply key to decrypt the EncASRepPart. Would that be correct to say?
> Date: Fri, 17 Jan 2014 13:58:23 -0500 > From: [email protected] > To: [email protected]; [email protected] > Subject: Re: Armor key negotiation in FAST > > On 01/17/2014 01:23 PM, venkyA wrote: > > So in case of a TGS-REQ, the armor key is used to encrypt the copy of the > > req-body in the outer field. Would that be a correct statement? > > Yes. > > > Also when the krbFastresponse is generated for the TGS-REP which is > > encrypted with armor key, it would contain the > > > > 1) Copy of the session key from the service ticket encrypted with session > > key of the user's TGT > > 2) Client Nonce > > 3) KrbFastFinished ( containing the timestamp, client realm, client name, > > ticket checksum ) > > No, yes, and yes. > > The strengthen-key in KrbFastResponse is not a copy of the session key. > It is a randomly chosen key which is combined with the authenticator > subkey (from the request) to produce the reply key, which encrypts the > RFC 4120 EncTGSRepPart. > > The session key is located inside the EncTGSRepPart, as it would be in a > normal RFC 4120 reply. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
