RFC 3962 and DK(tkey, "kerberos") function

kerberos@noopy.org kerberos at noopy.org
Tue Oct 13 15:42:19 EDT 2009


Hello,

Thanks for your response!  Further stuff inline.

On Fri, Oct 9, 2009 at 12:28 PM, Tom Yu <tlyu at mit.edu> wrote:
>
> The IV is also known as the "cipher state" for CBC ciphers, and each
> cryptosystem specification includes a default initial cipher state.
> For "simplified profile" (e.g. DES3 and AES) cryptosystems, this is
> all-bits-zero.

OK.

>
> The DK function uses n-fold to expand the well-known constant
> "kerberos" to a full cipher block length and then uses a temporary key
> to encrypt that block.  It does not use the n-folded constant as an
> IV.  In the case of AES, the temporary key is the output of PBKDF2.
>

When using the following from test vectors as written in
http://www.apps.ietf.org/rfc/rfc3962.html Appendix B, Example 1
(Iteration count = 1, Pass phrase = "password", Salt =
"ATHENA.MIT.EDUraeburn"):
  - My Rfc2898DeriveBytes(...) function matches the 128-bit PBKDF2
output when I use the values above.
  - My N-fold function for "kerberos" matches the test vectors for
128-fold "kerberos" in
http://www.apps.ietf.org/rfc/rfc3961.html#sec-A.1.

My 128-bit AES key *doesn't* match the one in
http://www.apps.ietf.org/rfc/rfc3962.html Appendix B, Example 1.  I'm
not clear why this is happening -- but suspect the problem lies
somewhere in what I'm encrypting rather than in creating a temporary
key or in my n-folding function.  Basically what I'm trying to do in
my DK function is: "encrypt my 'kerberos' block with the temporary key
I got from my derive bytes function."

Am I understanding how I create the final key correctly here?

-- 
K




More information about the Kerberos mailing list