Discussion:
#12 [**] Subsession keys (section 5 and 8)
Shoichi Sakane
2005-03-09 14:20:40 UTC
Permalink
I also don't think it is necessary to forbid using sub session keys.
but Michael pointed that there were some discussion about this topic
in the mailing list long time before. It might be necessary to consider
something.

If we allow using sub session key, then we have to add a text to
the document. we have to describe precisely where a session key or
a sub session key is used.
and if my understanding is correct, the responder can change the
subsession key by the responder's policy. So if the responder
changes the sub session key, the exchange needs the 3 way handshake.
because the initiator will have to recalculate the KEYMAT from
the subsession key from the responder.
KAMADA Ken'ichi
2005-03-09 15:57:48 UTC
Permalink
At Wed, 09 Mar 2005 23:20:40 +0900,
Post by Shoichi Sakane
I also don't think it is necessary to forbid using sub session keys.
but Michael pointed that there were some discussion about this topic
in the mailing list long time before. It might be necessary to consider
something.
I've reread old mails on this topic and I need suspend my previous comment
that we should use subsession keys.
Post by Shoichi Sakane
If we allow using sub session key, then we have to add a text to
the document. we have to describe precisely where a session key or
a sub session key is used.
I'd like to complement this.
We should consider What key is used Where.
"What key" in my mind is base key, initiator's subkey, or responder's
subkey.
"Where" is KINK_ENCRYPT of command, checksum of command,
KINK_ENCRYPT of reply, checksum of reply, and checksum of ACK).
Post by Shoichi Sakane
and if my understanding is correct, the responder can change the
subsession key by the responder's policy. So if the responder
changes the sub session key, the exchange needs the 3 way handshake.
because the initiator will have to recalculate the KEYMAT from
the subsession key from the responder.
--
KAMADA Ken'ichi <***@nanohz.org>
Shoichi Sakane
2005-03-09 14:41:10 UTC
Permalink
Is a responder able to reject a sub-session key and use a session key
in such case?
It's kerberos matter. in either case, we have to describe it.
Kazunori Miyazawa
2005-03-09 16:13:58 UTC
Permalink
Post by Shoichi Sakane
I also don't think it is necessary to forbid using sub session keys.
but Michael pointed that there were some discussion about this topic
in the mailing list long time before. It might be necessary to consider
something.
If we allow using sub session key, then we have to add a text to
the document. we have to describe precisely where a session key or
a sub session key is used.
I agree.
Post by Shoichi Sakane
and if my understanding is correct, the responder can change the
subsession key by the responder's policy. So if the responder
changes the sub session key, the exchange needs the 3 way handshake.
because the initiator will have to recalculate the KEYMAT from
the subsession key from the responder.
Please let me confirm.
Is a responder able to reject a sub-session key and use a session key
in such case?

--
Kazunori Miyazawa

Loading...