Subject: | KDC should use encrypted-timestamp key for reply key |
After successfully processing a PA-ENC-TIMESTAMP entry in an AS request,
Heimdal's KDC uses the matching key as the reply key. We should do the
same thing, for three reasons:
1. We have immediate proof that the client possesses this particular
key. It might not have the other keys (in a keytab request situation).
2. This would prevent an enctype downgrade attack against a request
using PA-ENC-TIMESTAMP.
3. Doing this prevents the client from using knowledge of one key to
leverage a known plaintext for another key. (Not a very interesting
attack, but worth noting.)
Likewise for encrypted challenge, although of course in that case the
reply key will be strengthened.
Heimdal's KDC uses the matching key as the reply key. We should do the
same thing, for three reasons:
1. We have immediate proof that the client possesses this particular
key. It might not have the other keys (in a keytab request situation).
2. This would prevent an enctype downgrade attack against a request
using PA-ENC-TIMESTAMP.
3. Doing this prevents the client from using knowledge of one key to
leverage a known plaintext for another key. (Not a very interesting
attack, but worth noting.)
Likewise for encrypted challenge, although of course in that case the
reply key will be strengthened.