[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AP REQUEST decrypt using shared secret


I'm having a problem decrypting a ticket from an AP REQUEST using

I'm trying to use a MEMORY keytab which seems to work, but my problem is
the keyblock keyvalue.

We have a shared key between the KDC and our AP REQUEST parser...
The ticket is using des3-cbc-md5 encryption.

I tried several things to use our shared key:
- setting the keyblock directly (with the exact hex value
  of the key string, keytab.keyvalue.length + keytab.keyvalue.data )
- using krb5_keyblock_init(),
- Converting the key value using krb5_string_to_key(),
- Converting the key value using krb5_string_to_key_salt(),
- ...

But all tries got me into the same result:

'krb5_rd_req: Decrypt integrity check failed'

Is there any special format for the keyvalue I have to use?
Or should it be OK when I use krb5_string_to_key?

while debugging a little bit myself,
the error seems to come from the method:

static krb5_error_code
verify_checksum(krb5_context context,
                krb5_crypto crypto,
                unsigned usage, /* not krb5_key_usage */
                void *data,
                size_t len,
                Checksum *cksum)

    if(c.checksum.length != cksum->checksum.length ||
       memcmp(c.checksum.data, cksum->checksum.data,

the checksum length was always ok, but the data failed...

Anyone has any ideas?


Tom Ghyselinck.


| Please note new email address: tom.ghyselinck@excentis.com
| Tom Ghyselinck
| Software Developer
| Excentis N.V.
| Gildestraat 8 B-9000 Gent
| Tel: +32 9 269 22 91 - Fax: +32 9 329 31 74