Decrypting KRB_AS_REP ticket

Douglas E. Engert deengert at anl.gov
Wed May 11 08:15:55 EDT 2005



Kallapur, Madhusudan V wrote:
> Thanks for the suggestion. As I am trying to have the bare minimum code
> to decrypt the service ticket( with only RC4 encryption), 

Rather then the bare minimum, you might want to use the higher
levels so as position the code to pick up any future enhanments
in this area, such as when AES is used instead of RC4, or some
site is using DES.


I picked up
> the lowest layer of code. The reason for the failure turned out to be
> the value of keyusage
> 
> //	keyusage = KRB5_KEYUSAGE_AS_REP_ENCPART;
> //  Above value is probably meant for ENCPART of client's session key
> for ticket //requests
> 
> // This value works for decrypting enc part of service ticket
> 	keyusage = KRB5_KEYUSAGE_KDC_REP_TICKET;
> 
> This change in the code solved the problem.
> 
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Tuesday, May 10, 2005 7:15 AM
> To: Kallapur, Madhusudan V
> Cc: Kerberos at mit.edu
> Subject: Re: Decrypting KRB_AS_REP ticket
> 
> 
> 
> Kallapur, Madhusudan V wrote:
> 
>>Hi,
>>
>> 
>>
>>I am trying to create a quick prototype for a kerberized service which
>>would look at the authorization data( with SID's) present in the
> 
> service
> 
>>ticket and accept/reject the service request. To start with, I created
>>an SPN in the active directory(windows 2003 Domain controller /KDC)
> 
> for
> 
>>this service using "ktpass" with -princ -mapuser options with -crypto
>>being RC4-HMAC-NT. Then I created a service ticket for this service
>>using "kinit -S service" option, I did this from a linux client in the
>>same domain with a user account. Now I am trying to decrypt the
>>KRB_AS_REP packet which contains the service ticket and get the
>>authorization data.
> 
> 
> I would suspect that the KRB_AS_REP enc-part is encrypted in the
> user's key. The enc-part (EncTicketPart) of the Ticket in the
> KREB_AS_REP
> would be in encrypted in the servers's key.
> 
> 
>   I used the "krb5_arcfour_decrypt" API for  the
> 
>>decryption. I see that the decryption fails with
>>KRB5KRB_AP_ERR_BAD_INTEGRITY. I am using the service key given out by
>>the "ktpass" tool after it created the keytab file, to decrypt the
>>service ticket.
>>
>> 
> 
> Sounds like you are too low a level in the Kerberos API, and may be
> missing some thing, like a key derivation.
> 
> You may want to look at krb5_decrypt_tkt_part in decrypt_tk.c
> which is used by b5_rd_req_decrypt_tkt_part to process the KRB_AP_REQ
> which is what the server would normally use.
> 
> 
>>I am suspecting that the key used by the KDC for generating this
> 
> service
> 
>>request may be different than the one thrown out by "ktpass".
>>
>>Has anyone seen this before ? Does anyone know why this is not working
> 
> ?
> 
>> 
>>
>>Any help/suggestions would be greatly appreciated.
>>
>> 
>>
>>Thanks,
>>
>>Madhu
>>
>> 
>>
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list