When the user first logs in, he fetches his TGT from the KDC along with the session key. I get why Sa (session key) is encrypted with Ka (user's key). But why is TGT also encrypted with Ka. TGT is already pretty unbreakable on its own because it's encrypted with Kkdc (KDC's private key). So even if an intruder gets hold of it, it can practically do nothing with it.
Asked
Active
Viewed 370 times
0
-
1If you can present a TGT to the TGS you can actually use it get a ticket. – eckes May 05 '19 at 14:18
-
I get that, but why does the KDC encrypt the TGT with it's private key (Kkdc) when it first gives the TGT to the user? – Jay Parekh May 06 '19 at 15:10
-
The TGT presented to the client by the AS is encrypted to hide the internas and authenticate it. It allows the TGS to check the integrity without the AS to store the TGT or the contained session key. I think the encryption aspect is. It used/needed but the authentication aspect. Some consider the additional unused encryption a weakness as it requires more CPU.. – eckes May 06 '19 at 19:02