Skip Menu |
 

Subject: KDC should use encrypted-timestamp key for reply key
After successfully processing a PA-ENC-TIMESTAMP entry in an AS request,
Heimdal's KDC uses the matching key as the reply key. We should do the
same thing, for three reasons:

1. We have immediate proof that the client possesses this particular
key. It might not have the other keys (in a keytab request situation).

2. This would prevent an enctype downgrade attack against a request
using PA-ENC-TIMESTAMP.

3. Doing this prevents the client from using knowledge of one key to
leverage a known plaintext for another key. (Not a very interesting
attack, but worth noting.)

Likewise for encrypted challenge, although of course in that case the
reply key will be strengthened.