[36170] in Kerberos
Re: signing-key for AD-KDC-ISSUED
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Jun 3 10:52:20 2014
Message-ID: <538DE114.1010602@mit.edu>
Date: Tue, 03 Jun 2014 10:52:04 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Peter Mogensen <apm@one.com>, kerberos@mit.edu
In-Reply-To: <538D875B.6010909@one.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 06/03/2014 04:29 AM, Peter Mogensen wrote:
> This seems to be conflicting. First it says the signing-key is the
> session-key, then it says it's the service-key used to encrypt the ticket.
I don't think AD-KDC-issued is really used much, but to the extent that
we have client code for it, we (MIT krb5) assume the ticket session key
is used to sign it. I don't see any Heimdal code for AD-KDC-issued
except for an #if 0 block, and I don't think Microsoft uses it for
anything since they have the PAC.
> Using the service-key seems to make more sense and it's also what I can
> see the draft for AD-CAMMAC uses for svc-verifier.
>From a security perspective, I don't think it really matters whether the
ticket session key or the service key is used. The former provides a
slightly more direct guarantee that the authdata originated with the
specific ticket it is included in, but anyone with the service key can
print up a complete ticket with a chosen session key, so it shouldn't
matter either way.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
