Re: [kitten] One question about Kerberos Protocol in the RFC 4120
Derek Atkins <derek@ihtfp.com> Wed, 18 August 2021 18:04 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 5F1533A084A
for <kitten@ietfa.amsl.com>; Wed, 18 Aug 2021 11:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key)
reason="fail (message has been altered)"
header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ocQM5bra-Vno for <kitten@ietfa.amsl.com>;
Wed, 18 Aug 2021 11:04:00 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id D74BD3A08CB
for <kitten@ietf.org>; Wed, 18 Aug 2021 11:04:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by mail2.ihtfp.org (Postfix) with ESMTP id 6FC22E2040;
Wed, 18 Aug 2021 14:03:28 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1])
by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024)
with ESMTP id 18642-02; Wed, 18 Aug 2021 14:03:24 -0400 (EDT)
Received: by mail2.ihtfp.org (Postfix, from userid 48)
id E6820E2045; Wed, 18 Aug 2021 14:03:23 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com;
s=default; t=1629309803;
bh=03iocM6BX1y6etupRGGx6NWuDzPiN7uoxziEM5p7LAo=;
h=In-Reply-To:References:Date:Subject:From:To:Cc;
b=eZmZ1cPJ5Qgp7x9QJQOT0b709tvachB/xTu6b+QYCc6QF0gfHwVfyYBWgriFqQuta
mPzx4z85fUoHs7PDZflXd3t2Ugn4siqw+2MFbDD2+hVC69f8jIvDkmNu+ZExJZrVor
mX3X5IxeBsuFK0tamtHtnHTOfp0Dtk8iRrmD9QqY=
Received: from 192.168.248.243 (SquirrelMail authenticated user warlord)
by mail2.ihtfp.org with HTTP; Wed, 18 Aug 2021 14:03:23 -0400
Message-ID: <6e2d2c9a41b1ef12cb74dff687d15258.squirrel@mail2.ihtfp.org>
In-Reply-To: <CAD8oZZEofs7pYoiVJThme1iOrUZ5rmqi8L9ur-wHirr6QJTt0g@mail.gmail.com>
References: <CAD8oZZEofs7pYoiVJThme1iOrUZ5rmqi8L9ur-wHirr6QJTt0g@mail.gmail.com>
Date: Wed, 18 Aug 2021 14:03:23 -0400
From: "Derek Atkins" <derek@ihtfp.com>
To: "bc a" <mrcatcrack@gmail.com>
Cc: kitten@ietf.org
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/5I6dMRpU-Q3NVcAOq1Oq9eRBVIc>
Subject: Re: [kitten] One question about Kerberos Protocol in the RFC 4120
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>,
<mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>,
<mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2021 18:04:07 -0000
HI, No session keys are ever the same. Whenever the KDC creates a session key, it is supposed to be randomly unique. The only time keys are "the same" is long-lived authentication keys, the keys shared between the KDC and a user, or between the KDC and a service. Those long-term keys are used to encrypt the unique session keys. Hope this helps. -derek On Wed, August 18, 2021 11:53 am, bc a wrote: > Dear Kitten members, > > I'm Xiaoxing Xu and I'm a cyber security researcher from China. I had a > question about Kerberos v5 when I read the RFC 4120 paper, which expects > you to get your reply. > The question is, I see the "key" appears in the "enc-part" field in the > "tickets" chapter of section 5.3, just like the first picture shows, and > the "key" is used to pass the session key. > So we can think the authentication server creates a session key and put it > in the "enc-part" of the "tickets" field in the AS-REQ phrase. > [image: image.png] > Then in the section 5.4.2, I found that there is also a "key" exists in > the "enc-part" of "KDC-REP", that is to say, there is also a "key" in the > "enc-part" of the AS-REP phase, > not the "enc-part" of the "ticket". > So I want to know whether it can be considered that the authentication > server creates two "keys" in the AS-REP phase, one in the "enc-part" of > the > "ticket" field, > and the other one is in the separate "enc-part" , And whether these two > "key" values are the same? > Thank you so much for your help. > [image: image.png] > Best regards > Xiaoxing Xu > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten > -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
- [kitten] One question about Kerberos Protocol in … bc a
- Re: [kitten] One question about Kerberos Protocol… Derek Atkins
- Re: [kitten] One question about Kerberos Protocol… Greg Hudson
- Re: [kitten] One question about Kerberos Protocol… Derek Atkins
- Re: [kitten] One question about Kerberos Protocol… bc a