Decrypting KRB_AS_REP ticket

Kallapur, Madhusudan V madhusudan.v.kallapur at intel.com
Tue May 10 18:11:58 EDT 2005


Thanks for the suggestion. As I am trying to have the bare minimum code
to decrypt the service ticket( with only RC4 encryption), I picked up
the lowest layer of code. The reason for the failure turned out to be
the value of keyusage

//	keyusage = KRB5_KEYUSAGE_AS_REP_ENCPART;
//  Above value is probably meant for ENCPART of client's session key
for ticket //requests

// This value works for decrypting enc part of service ticket
	keyusage = KRB5_KEYUSAGE_KDC_REP_TICKET;

This change in the code solved the problem.

-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Tuesday, May 10, 2005 7:15 AM
To: Kallapur, Madhusudan V
Cc: Kerberos at mit.edu
Subject: Re: Decrypting KRB_AS_REP ticket



Kallapur, Madhusudan V wrote:
> Hi,
> 
>  
> 
> I am trying to create a quick prototype for a kerberized service which
> would look at the authorization data( with SID's) present in the
service
> ticket and accept/reject the service request. To start with, I created
> an SPN in the active directory(windows 2003 Domain controller /KDC)
for
> this service using "ktpass" with -princ -mapuser options with -crypto
> being RC4-HMAC-NT. Then I created a service ticket for this service
> using "kinit -S service" option, I did this from a linux client in the
> same domain with a user account. Now I am trying to decrypt the
> KRB_AS_REP packet which contains the service ticket and get the
> authorization data.

I would suspect that the KRB_AS_REP enc-part is encrypted in the
user's key. The enc-part (EncTicketPart) of the Ticket in the
KREB_AS_REP
would be in encrypted in the servers's key.


  I used the "krb5_arcfour_decrypt" API for  the
> decryption. I see that the decryption fails with
> KRB5KRB_AP_ERR_BAD_INTEGRITY. I am using the service key given out by
> the "ktpass" tool after it created the keytab file, to decrypt the
> service ticket.
> 
>  
Sounds like you are too low a level in the Kerberos API, and may be
missing some thing, like a key derivation.

You may want to look at krb5_decrypt_tkt_part in decrypt_tk.c
which is used by b5_rd_req_decrypt_tkt_part to process the KRB_AP_REQ
which is what the server would normally use.

> 
> I am suspecting that the key used by the KDC for generating this
service
> request may be different than the one thrown out by "ktpass".
> 
> Has anyone seen this before ? Does anyone know why this is not working
?
> 
>  
> 
> Any help/suggestions would be greatly appreciated.
> 
>  
> 
> Thanks,
> 
> Madhu
> 
>  
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list