[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AP REQUEST decrypt using shared secret

To: heimdal-discuss@sics.se
Subject: AP REQUEST decrypt using shared secret
From: Tom Ghyselinck <tom.ghyselinck@excentis.com>
Date: Mon, 28 Jan 2008 08:06:36 +0100
In-Reply-To: <1201253844.3173.41.camel@pingu.office.excentis.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: Excentis N.V.
References: <1201253844.3173.41.camel@pingu.office.excentis.com>
Reply-To: heimdal-discuss@sics.se, Tom Ghyselinck <tom.ghyselinck@excentis.com>

Hello,

I'm having a problem decrypting a ticket from an AP REQUEST using
krb5_rd_req().

I'm trying to use a MEMORY keytab which seems to work, but my problem is
the keyblock keyvalue.

We have a shared key between the KDC and our AP REQUEST parser...
The ticket is using des3-cbc-md5 encryption.

I tried several things to use our shared key:
- setting the keyblock directly (with the exact hex value
  of the key string, keytab.keyvalue.length + keytab.keyvalue.data )
- using krb5_keyblock_init(),
- Converting the key value using krb5_string_to_key(),
- Converting the key value using krb5_string_to_key_salt(),
- ...

But all tries got me into the same result:

'krb5_rd_req: Decrypt integrity check failed'

Is there any special format for the keyvalue I have to use?
Or should it be OK when I use krb5_string_to_key?

while debugging a little bit myself,
the error seems to come from the method:

static krb5_error_code
verify_checksum(krb5_context context,
                krb5_crypto crypto,
                unsigned usage, /* not krb5_key_usage */
                void *data,
                size_t len,
                Checksum *cksum)
during:

    if(c.checksum.length != cksum->checksum.length ||
       memcmp(c.checksum.data, cksum->checksum.data,
c.checksum.length))  

the checksum length was always ok, but the data failed...

Anyone has any ideas?

Thanks!

Tom Ghyselinck.

-- 

+---------------------------------------------
| Please note new email address: tom.ghyselinck@excentis.com
|
| Tom Ghyselinck
| Software Developer
| Excentis N.V.
| Gildestraat 8 B-9000 Gent
| Tel: +32 9 269 22 91 - Fax: +32 9 329 31 74
+---------------------------------------------

Follow-Ups:
- Re: AP REQUEST decrypt using shared secret
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Tickets without realm?
Next by Date: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Prev by thread: Re: Tickets without realm?
Next by thread: Re: AP REQUEST decrypt using shared secret
Index(es):
- Date
- Thread