PKINIT: Manual recovery of the AS key and decryption of the KDC-REP

Thomas Bourbaki thomas.bourbaki at
Thu May 16 11:47:04 EDT 2013


In order to better understand Kerberos and PKINIT, I am trying to do a
manual decryption of the AS exchange when RSA is used (not Diffie-Hellman).

I am able to manually decrypt the exchange to the point where I hold the AS
reply key.
However, I am not able to go beyond. This is why I'd like some help.

I perform the following steps:
 - Parse the PA_PK_AS_REP:
   - Get the wrapped key (3DES) from the CMS EnveloppedData (RecipientInfo)
   - Unwrap the transport key (3DES) using my RSA private key (padding
PKCS1 v1.5)
   - Decrypt the encryptedContent from the CMS using {3DES transport key,
IV from contentEncryptionAlgorithm}
   - Retrieve the key (AES 256 in my case) from the decrypted CMS
SignedData element.

If I understood the RFC 4556, my AES key is the "AS reply key" which can be
used to decrypt the enc-part of the KDC-REP.
Once decrypted, it would give me access to the EncKDCRepPart ASN.1

My guess is that I can't directly use the retrieved AES key to perform an
AES-256-CTS decryption.
So, what's missing ?

I need the following information:
  - What is the IV used in the decryption on the enc-part ?
    - Is it a NULL IV ?
  - Is a derivation function applied on the key ? (RFC 3962 mentions  =>
DK(key, "kerberos") ?)




More information about the Kerberos mailing list