AS_REP question

Chaskiel M Grundman cg2v at andrew.cmu.edu
Wed Sep 21 11:18:06 EDT 2005


--On Wednesday, September 21, 2005 07:07:03 -0700 NetSteady 
<cmhutch at gmail.com> wrote:

> In reading the RFC's it seems as though the encrypted data in the
> packet should be able to be decrypted if we have the proper password.
> However, the encrypted data changes with every attempt we send, and we
> can't figure out which variable is changing.

The contents of the EncryptedData is an EncKDCRepPart. The first item in an 
EncKDCRepPart is the randomly chosen EncryptionKey that the KDC picked as 
the ticket session key. In addition, the EncryptedData contains a 
counfounder (a random block prepended to the plaintext in lieu of using an 
initial vector in the cipher). The confounder needs to be stripped off as 
part of the decryption operation (but, IIRC, after the checksum is 
verified).

Also, have you verified your string-to-key transformation against the test 
vectors in rfc3961?



More information about the Kerberos mailing list