Subject: | Acces to AS REP keys to decrypt MS-PAC's PAC_CREDENTIAL_DATA |
From: | Simo Sorce <simo@redhat.com> |
To: | krb5-bugs@mit.edu |
Date: | Thu, 29 Sep 2016 16:06:21 -0400 |
As specified in [MS-PAC] 2.6.2 [1] the PAC_CREDENTIAL_DATA structure is
encrypted with the " cryptographic system selected through the AS
protocol and the KRB_AS_REP message (as specified in [RFC4120] section
3.1.3 and [RFC4556]".
When a client receive the AS_REP though, the MS-PAC is not immediately
available, and will be available only after a subsequent validation
step's TGS reply.
In order to be able to decrypt this PAC buffer the key used to decode
the AS reply needs to be made available to the client on request.
Simo.
[1] https://msdn.microsoft.com/en-us/library/cc237952.aspx
--
Simo Sorce * Red Hat, Inc * New York
encrypted with the " cryptographic system selected through the AS
protocol and the KRB_AS_REP message (as specified in [RFC4120] section
3.1.3 and [RFC4556]".
When a client receive the AS_REP though, the MS-PAC is not immediately
available, and will be available only after a subsequent validation
step's TGS reply.
In order to be able to decrypt this PAC buffer the key used to decode
the AS reply needs to be made available to the client on request.
Simo.
[1] https://msdn.microsoft.com/en-us/library/cc237952.aspx
--
Simo Sorce * Red Hat, Inc * New York