Subject: KDC should use encrypted-timestamp key for reply key
After successfully processing a PA-ENC-TIMESTAMP entry in an AS request,
Heimdal's KDC uses the matching key as the reply key. We should do the
same thing, for three reasons:
1. We have immediate proof that the client possesses this particular
key. It might not have the other keys (in a keytab request situation).
2. This would prevent an enctype downgrade attack against a request
3. Doing this prevents the client from using knowledge of one key to
leverage a known plaintext for another key. (Not a very interesting
attack, but worth noting.)
Likewise for encrypted challenge, although of course in that case the
reply key will be strengthened.
Download (untitled) 687b