[37651] in Kerberos
Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Fri Aug 26 01:13:58 2016
Date: Fri, 26 Aug 2016 01:13:32 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <57BF3B15.20202@openfortress.nl>
Message-ID: <alpine.GSO.1.10.1608260110400.5272@multics.mit.edu>
MIME-Version: 1.0
Cc: Simo Sorce <simo@redhat.com>, kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 25 Aug 2016, Rick van Rein wrote:
> >>> Forwarding a TGT is bad because it is unbounded impersonation.
> >> Only when the corresponding key is supplied alongside! [I hope I'm
> >> not taking anything out of context by saying that, I'm not sure about
> >> that but will probably be corrected if I am.]
> >
> > The TGT is all you need. It gives you access to all the resources the
> > "real owner" has access to with no limitations. You do not need the long
> > term key at all (until the TGT expires of course).
> The TGT is a Ticket, holding EncryptedData. That encrypted portion
> must be decrypted to get hold of the EncryptionKey contained in it.
> Passing a TGT verbatim does not release this information, right?
>
> In user-to-user Kerberos, it is also possible to pass a TGT from the
> service back to the client, and the client passes that verbatim without
> being able to make heads or tails of it. That is what I meant. But I
> may have been nitpicking, sorry about that.
You probably are nitpicking, yes, but I think the relevant key is the
session key that is contained in the TGT -- only KDCs would have the key
to decrypt the EncryptedData of the TGT (as opposed to the enc-part of the
AS-REP which is where the client gets it).
I assume that Simo is using "TGT" to mean "TGT and session key", as would
be in a user's ccache, and not in the strict protocol data structure
sense.
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
