[39497] in Kerberos
Re: AS-REP
daemon@ATHENA.MIT.EDU (Michael B Allen)
Fri Mar 7 08:22:18 2025
MIME-Version: 1.0
In-Reply-To: <422792771.640057.1741317941288@mail.yahoo.com>
From: Michael B Allen <ioplex@gmail.com>
Date: Fri, 7 Mar 2025 08:20:51 -0500
Message-ID: <CAGMFw4gn+uRti94aZkZ9GNo8P7a0WHN081shwd3Yj=4XMx1zmg@mail.gmail.com>
To: Jim Shi <hjshi@yahoo.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, Mar 6, 2025 at 10:26 PM Jim Shi via Kerberos <kerberos@mit.edu>
wrote:
> Hi, is there easy way to check if AS-REP is valid or not?that is, is there
> is tool or stand alone program to check?
>
I don't know about an existing tool but in theory an AS-REP is pretty
self-contained which makes it "easy" relatively speaking. You just need the
base key (like from a keytab) to decrypt it and thus validate it.
But you would need a kerberos lib to help because it needs to generate a
so-called DK key or derived key which is a non-trivial bit of code. Meaning
it's not as simple as running it through AES-whatever.
There is a nonce generated in the AS-REQ that's supposed to be checked but
if you're just validating an AS-REQ I think it would be ok to ignore it
since it's primary purpose is to mix-up the ciphertext so that the KDC can
detect a replay and you're not a KDC.
Knowing this, in theory you could probably make a tool in a 100 lines of
python assuming there's a decent python kerberos lib out there.
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/ <http://www.ioplex.com/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
