[23866] in Kerberos
RE: Decrypting KRB_AS_REP ticket
daemon@ATHENA.MIT.EDU (Kallapur, Madhusudan V)
Tue May 10 18:17:14 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Wed, 11 May 2005 03:41:58 +0530
Message-ID: <612713304D0B0D4686D61B6EECF4E46B021452B0@bgsmsx403>
From: "Kallapur, Madhusudan V" <madhusudan.v.kallapur@intel.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Content-Transfer-Encoding: 8bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Thanks for the suggestion. As I am trying to have the bare minimum code
to decrypt the service ticket( with only RC4 encryption), I picked up
the lowest layer of code. The reason for the failure turned out to be
the value of keyusage
// keyusage = KRB5_KEYUSAGE_AS_REP_ENCPART;
// Above value is probably meant for ENCPART of client's session key
for ticket //requests
// This value works for decrypting enc part of service ticket
keyusage = KRB5_KEYUSAGE_KDC_REP_TICKET;
This change in the code solved the problem.
-----Original Message-----
From: Douglas E. Engert [mailto:deengert@anl.gov]
Sent: Tuesday, May 10, 2005 7:15 AM
To: Kallapur, Madhusudan V
Cc: Kerberos@mit.edu
Subject: Re: Decrypting KRB_AS_REP ticket
Kallapur, Madhusudan V wrote:
> Hi,
>
>
>
> I am trying to create a quick prototype for a kerberized service which
> would look at the authorization data( with SID's) present in the
service
> ticket and accept/reject the service request. To start with, I created
> an SPN in the active directory(windows 2003 Domain controller /KDC)
for
> this service using "ktpass" with -princ -mapuser options with -crypto
> being RC4-HMAC-NT. Then I created a service ticket for this service
> using "kinit -S service" option, I did this from a linux client in the
> same domain with a user account. Now I am trying to decrypt the
> KRB_AS_REP packet which contains the service ticket and get the
> authorization data.
I would suspect that the KRB_AS_REP enc-part is encrypted in the
user's key. The enc-part (EncTicketPart) of the Ticket in the
KREB_AS_REP
would be in encrypted in the servers's key.
I used the "krb5_arcfour_decrypt" API for the
> decryption. I see that the decryption fails with
> KRB5KRB_AP_ERR_BAD_INTEGRITY. I am using the service key given out by
> the "ktpass" tool after it created the keytab file, to decrypt the
> service ticket.
>
>
Sounds like you are too low a level in the Kerberos API, and may be
missing some thing, like a key derivation.
You may want to look at krb5_decrypt_tkt_part in decrypt_tk.c
which is used by b5_rd_req_decrypt_tkt_part to process the KRB_AP_REQ
which is what the server would normally use.
>
> I am suspecting that the key used by the KDC for generating this
service
> request may be different than the one thrown out by "ktpass".
>
> Has anyone seen this before ? Does anyone know why this is not working
?
>
>
>
> Any help/suggestions would be greatly appreciated.
>
>
>
> Thanks,
>
> Madhu
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
