[14945] in Kerberos
Re: Is the TGT a key or a container for a key?
daemon@ATHENA.MIT.EDU (Blair)
Fri Aug 3 13:53:55 2001
From: bnicodemus@fiberlink.com (Blair)
Date: 3 Aug 2001 10:40:07 -0700
Message-ID: <dc5fe6fa.0108030940.68b06deb@posting.google.com>
To: kerberos@MIT.EDU
The TGT contains several data elements, one of which is a key. The Key
was generated by the KDC in response to a KDC_AS_REQ from the Kerberos
client. The Key is included in the KDC_AS_REP to the client as a
standalone data item as well as included in the encrypted TGT which is
also included in the KDC_AS_REP to the client. The encrypted TGT can
only be decrypted by the TGS, not the kerberos client.
The Client uses the key provided in the cleartext portion of the
KDC_AS_REP message to encrypt an Authenticator that it creates. The
encrypted authenticator and the TGT received from the AS are passed to
the ticket granting server in a KRB_TGS_REQ message. The TGS decrypts
the TGT to extract the session key and then uses the session key to
decrypt the authenticator.
Blair
"Martin Lau" <martinl@wrox.com> wrote in message news:<O0xa7.3096$Qt3.650626@news6-win.server.ntlworld.com>...
> Hi there,
>
> Could anyone clear up this question? Is the TGT itself a key that is used to
> encrypt the authenticator for example, or does it *hold* the key that is
> used as the master session key?
>
>
> Many thanks,
>
> Martin
