PKINIT: Manual recovery of the AS key and decryption of the KDC-REP

Greg Hudson ghudson at MIT.EDU
Thu May 16 13:51:58 EDT 2013

On 05/16/2013 11:47 AM, Thomas Bourbaki wrote:
> I need the following information:
>   - What is the IV used in the decryption on the enc-part ?
>     - Is it a NULL IV ?

It's a null IV.  Cipher state chaining isn't commonly used in Kerberos,
so the default cipher state is used for almost all encryptions and

>   - Is a derivation function applied on the key ? (RFC 3962 mentions  =>
> DK(key, "kerberos") ?)

Yes.  A key usage value of 3 is used for the AS-REP encrypted part; see
RFC 4120 section 5.4.2 (enc-part) and 7.5.1.

More information about the Kerberos mailing list