RE: Decrypting KRB_AS_REP ticket - Kerberos

This is a discussion on RE: Decrypting KRB_AS_REP ticket - Kerberos ; Thanks for the suggestion. As I am trying to have the bare minimum code to decrypt the service ticket( with only RC4 encryption), I picked up the lowest layer of code. The reason for the failure turned out to be ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: RE: Decrypting KRB_AS_REP ticket

  1. RE: Decrypting KRB_AS_REP ticket

    Thanks for the suggestion. As I am trying to have the bare minimum code
    to decrypt the service ticket( with only RC4 encryption), I picked up
    the lowest layer of code. The reason for the failure turned out to be
    the value of keyusage

    // keyusage = KRB5_KEYUSAGE_AS_REP_ENCPART;
    // Above value is probably meant for ENCPART of client's session key
    for ticket //requests

    // This value works for decrypting enc part of service ticket
    keyusage = KRB5_KEYUSAGE_KDC_REP_TICKET;

    This change in the code solved the problem.

    -----Original Message-----
    From: Douglas E. Engert [mailto:deengert@anl.gov]
    Sent: Tuesday, May 10, 2005 7:15 AM
    To: Kallapur, Madhusudan V
    Cc: Kerberos@mit.edu
    Subject: Re: Decrypting KRB_AS_REP ticket



    Kallapur, Madhusudan V wrote:
    > Hi,
    >
    >
    >
    > I am trying to create a quick prototype for a kerberized service which
    > would look at the authorization data( with SID's) present in the

    service
    > ticket and accept/reject the service request. To start with, I created
    > an SPN in the active directory(windows 2003 Domain controller /KDC)

    for
    > this service using "ktpass" with -princ -mapuser options with -crypto
    > being RC4-HMAC-NT. Then I created a service ticket for this service
    > using "kinit -S service" option, I did this from a linux client in the
    > same domain with a user account. Now I am trying to decrypt the
    > KRB_AS_REP packet which contains the service ticket and get the
    > authorization data.


    I would suspect that the KRB_AS_REP enc-part is encrypted in the
    user's key. The enc-part (EncTicketPart) of the Ticket in the
    KREB_AS_REP
    would be in encrypted in the servers's key.


    I used the "krb5_arcfour_decrypt" API for the
    > decryption. I see that the decryption fails with
    > KRB5KRB_AP_ERR_BAD_INTEGRITY. I am using the service key given out by
    > the "ktpass" tool after it created the keytab file, to decrypt the
    > service ticket.
    >
    >

    Sounds like you are too low a level in the Kerberos API, and may be
    missing some thing, like a key derivation.

    You may want to look at krb5_decrypt_tkt_part in decrypt_tk.c
    which is used by b5_rd_req_decrypt_tkt_part to process the KRB_AP_REQ
    which is what the server would normally use.

    >
    > I am suspecting that the key used by the KDC for generating this

    service
    > request may be different than the one thrown out by "ktpass".
    >
    > Has anyone seen this before ? Does anyone know why this is not working

    ?
    >
    >
    >
    > Any help/suggestions would be greatly appreciated.
    >
    >
    >
    > Thanks,
    >
    > Madhu
    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Decrypting KRB_AS_REP ticket



    Kallapur, Madhusudan V wrote:
    > Thanks for the suggestion. As I am trying to have the bare minimum code
    > to decrypt the service ticket( with only RC4 encryption),


    Rather then the bare minimum, you might want to use the higher
    levels so as position the code to pick up any future enhanments
    in this area, such as when AES is used instead of RC4, or some
    site is using DES.


    I picked up
    > the lowest layer of code. The reason for the failure turned out to be
    > the value of keyusage
    >
    > // keyusage = KRB5_KEYUSAGE_AS_REP_ENCPART;
    > // Above value is probably meant for ENCPART of client's session key
    > for ticket //requests
    >
    > // This value works for decrypting enc part of service ticket
    > keyusage = KRB5_KEYUSAGE_KDC_REP_TICKET;
    >
    > This change in the code solved the problem.
    >
    > -----Original Message-----
    > From: Douglas E. Engert [mailto:deengert@anl.gov]
    > Sent: Tuesday, May 10, 2005 7:15 AM
    > To: Kallapur, Madhusudan V
    > Cc: Kerberos@mit.edu
    > Subject: Re: Decrypting KRB_AS_REP ticket
    >
    >
    >
    > Kallapur, Madhusudan V wrote:
    >
    >>Hi,
    >>
    >>
    >>
    >>I am trying to create a quick prototype for a kerberized service which
    >>would look at the authorization data( with SID's) present in the

    >
    > service
    >
    >>ticket and accept/reject the service request. To start with, I created
    >>an SPN in the active directory(windows 2003 Domain controller /KDC)

    >
    > for
    >
    >>this service using "ktpass" with -princ -mapuser options with -crypto
    >>being RC4-HMAC-NT. Then I created a service ticket for this service
    >>using "kinit -S service" option, I did this from a linux client in the
    >>same domain with a user account. Now I am trying to decrypt the
    >>KRB_AS_REP packet which contains the service ticket and get the
    >>authorization data.

    >
    >
    > I would suspect that the KRB_AS_REP enc-part is encrypted in the
    > user's key. The enc-part (EncTicketPart) of the Ticket in the
    > KREB_AS_REP
    > would be in encrypted in the servers's key.
    >
    >
    > I used the "krb5_arcfour_decrypt" API for the
    >
    >>decryption. I see that the decryption fails with
    >>KRB5KRB_AP_ERR_BAD_INTEGRITY. I am using the service key given out by
    >>the "ktpass" tool after it created the keytab file, to decrypt the
    >>service ticket.
    >>
    >>

    >
    > Sounds like you are too low a level in the Kerberos API, and may be
    > missing some thing, like a key derivation.
    >
    > You may want to look at krb5_decrypt_tkt_part in decrypt_tk.c
    > which is used by b5_rd_req_decrypt_tkt_part to process the KRB_AP_REQ
    > which is what the server would normally use.
    >
    >
    >>I am suspecting that the key used by the KDC for generating this

    >
    > service
    >
    >>request may be different than the one thrown out by "ktpass".
    >>
    >>Has anyone seen this before ? Does anyone know why this is not working

    >
    > ?
    >
    >>
    >>
    >>Any help/suggestions would be greatly appreciated.
    >>
    >>
    >>
    >>Thanks,
    >>
    >>Madhu
    >>
    >>
    >>
    >>________________________________________________
    >>Kerberos mailing list Kerberos@mit.edu
    >>https://mailman.mit.edu/mailman/listinfo/kerberos
    >>
    >>
    >>

    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread