[16734] in Kerberos_V5_Development
Decrypting KRB_CRED in AP_REQ
daemon@ATHENA.MIT.EDU (Weijun Wang)
Thu Mar 31 03:34:03 2011
Message-ID: <4D940056.7000909@oracle.com>
Date: Thu, 31 Mar 2011 12:17:26 +0800
From: Weijun Wang <weijun.wang@oracle.com>
MIME-Version: 1.0
To: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi All
I have a question regarding the decryption of KRB_CRED inside an
AP_REQ's authenticator. According to RFC 4121 4.1.1 [1]:
... The EncryptedData
field of the KRB_CRED message [RFC4120] MUST be encrypted in the
session key of the ticket used to authenticate the context.
Here, it seems the decrypt key should be the session key of the service
ticket. What shall I do if the authenticator has a subkey?
The subkey, as specified in RFC 4120 5.5.1 [2]:
subkey
This field contains the client's choice for an encryption key to
be used to protect this specific application session. Unless an
application specifies otherwise, if this field is left out, the
session key from the ticket will be used.
So, does the case in RFC 4121 4.1.1 I quoted above belongs to "this
specific application session"?
Thanks
Max
[1] http://tools.ietf.org/html/rfc4121#section-4.1.1
[2] http://tools.ietf.org/html/rfc4120#section-5.5.1
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
