[3675] in Kerberos
One-time keys & Kerberos
daemon@ATHENA.MIT.EDU (James R. Hendrick)
Mon Aug 8 19:08:41 1994
Date: Mon, 8 Aug 1994 18:55:03 -0400
From: "James R. Hendrick" <hendrick@ctron.com>
To: kerberos@MIT.EDU
OK, Now I think I've got it! Many thanks to those that pointed
out my initial confusion. Would you take a critical look
at this and give me your opinion? There are two questions
below that I'm not real sure of.
Thanks,
Jim Hendrick
Note, this is NOT S/Key :-)
The KDC stores K(0) and n for each one-time-key user. I assume
the keyinit will encrypt it's session with the KDC using the
existing service key for the user at that time, but that's
another story.
Notation used:
=============+
c - The client (human)
l - THe login.machine-name principal (if used)
KDC - The key distribution center
tgtgt - the ticket granting ticket granting ticket (whew)
tgt - the ticket granting ticket
n - the current index of the one-time key
K(0) - the initial one-time key
{ stuff } - a message across the net
{ stuff }K(c) - a message encrypted with c's key
The critical exchange is (I believe) as follows, very similar
to that of getting an initial ticket granting ticket.
Question: Which of these below is preferable?
<<EITHER>>
c -> KDC { c, tgtgt }
Client requests tgtgt
KDC -> c {n, { K(c,tgtgt), T(c,tgtgt) }K(n)}
KDC generates the n-th iteration of K(0), along with
a tgtgt and a temporary key and sends this
encrypted w/ one-time key back to the client
but the index n is cleartext.
<<OR>>
c -> KDC { c, tgtgt }K(l)
Client requests tgtgt crypted w/
key of this login service. This would require every
machine wanting to use this service to have it's
login program registered. Is it worth the (small)
gain of not sending the index number in the clear?
KDC -> c { n, { K(c,tgtgt), T(c,tgtgt) }K(n) }K(l)
KDC sends one, crypted w/ one-time key
with key index n all crypted w/ K(l)
<<THEN>>
c -> KDC { T(c,tgtgt), tgt }K(c,tgtgt)
Client is OK, gimme a tgt
KDC -> c { K(c,tgt), T(c,tgt) }K(c,tgtgt)
KDC generates a standard tgt & session key, decrements
the index n->n-1,
Question: Can the KDC now invalidate T(c,tgtgt) and K(c,tgtgt)
or would it need to wait for some other response from the client
like this:
c -> KDC { T(c,tgt) }K(c,tgt)
