Re: Authentication codes

> Hello,
> 
> I would have a question about shared sercrets used as authentication
> code in XKRSS requests and responses.
> In §6.1.1, it is said that in case of registration of client-generated
> key pair, Alice gets the "024837" code from server to authenticate her
> request (the code is used in <KeyBindingAuthentication>). That's ok for me.
> In §6.1.2, it is said that in case of registration of service-generated
> key pair, Bob gets the "3N9CJ-K4JKS-04JWF-0934J-SR09JW-IK4" code from
> server and that this code is used (in a key derived form) by server to
> encrypt private key value (and so by client to decrypt it). Is this code
>   also used for client request authentication
> (<KeyBindingAuthentication>) before private key generation ? Or, do we
> have to use two different codes ?
> 

There is some advice in section 10.4 in relation to the use of shared
secrets. The spec does not disallow you using the same string for all
purposes - we found this convenient during interop. A more secure
configuration would use each secret once only.

> When looking at appendix C,
>   - in C.1.2, for Bob registration authentication key, authentication
> data is "3N9CJ-JK4JK-S04JF-W0934-JSR09-JWIK4"
>   - in C.1.3, for Bob registration private key encryption,
> authentication data is "3N9CJ-K4JKS-04JWF-0934J-SR09JW-IK4"
> It's nearly the same, but not the same (one character difference).
> Is it voluntary ?
> 

While I didn't select them, I was consciouses about the similarity of
the two strings throughout.  This alone does not make them invalid of
course, provided that the corresponding keys differ correspondingly.

Regards
Tommy

Received on Monday, 9 May 2005 21:05:40 UTC