Trouble comparing the PA-REQ-ENC-PA-REP checksum

Turner, Jonathan jt at
Thu Apr 13 07:18:38 EDT 2017


I am trying to implement a client that is compliant with

The issue I am having is on validating the checksum returned in the PA-Data
from the KDC. Below is the outline of the steps I am taking.

I need the checksum key and the value of the AS-REQ over which to compute
the checksum.
To get the key:
1) Decrypt the encpart of the AS-REP
2) From the decrypted encpart get the key value
3) Derive the key to use for the checksum by using the usage number 56 read
in big-endian and concatenated with 0x99.
4) Call the etype's derive key function with the key and the usage number.
I use the etype corresponding to the type indicated in the key. I'm pretty
sure this derive key function is correct as I use it elsewhere successfully.
To get the value of the AS-REQ
1) ASN1 marshal the AS-REQ sent to get the bytes of the AS-REQ

Now pass the AS-REQ bytes and the key into the hash function of the etype.
Compare the output of this with the bytes returned in the PA-Data's
checksum field.

Do the steps above look correct or am I missing something?

Any help is appreciated as I've be staring at this for quite a while now
and I'm out of ideas :)


More information about the Kerberos mailing list