[37944] in Kerberos
Trouble comparing the PA-REQ-ENC-PA-REP checksum
daemon@ATHENA.MIT.EDU (Turner, Jonathan)
Thu Apr 13 10:47:45 2017
MIME-Version: 1.0
From: "Turner, Jonathan" <jt@jtnet.co.uk>
Date: Thu, 13 Apr 2017 12:18:38 +0100
Message-ID: <CAB0goXr-1=RGcUZmR2BO7-LAhVHMsOPOJ=bDQ-++HzTMSPaQvQ@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I am trying to implement a client that is compliant with
https://tools.ietf.org/html/rfc6806.html#section-11
The issue I am having is on validating the checksum returned in the PA-Data
from the KDC. Below is the outline of the steps I am taking.
I need the checksum key and the value of the AS-REQ over which to compute
the checksum.
To get the key:
1) Decrypt the encpart of the AS-REP
2) From the decrypted encpart get the key value
3) Derive the key to use for the checksum by using the usage number 56 read
in big-endian and concatenated with 0x99.
4) Call the etype's derive key function with the key and the usage number.
I use the etype corresponding to the type indicated in the key. I'm pretty
sure this derive key function is correct as I use it elsewhere successfully.
To get the value of the AS-REQ
1) ASN1 marshal the AS-REQ sent to get the bytes of the AS-REQ
Now pass the AS-REQ bytes and the key into the hash function of the etype.
Compare the output of this with the bytes returned in the PA-Data's
checksum field.
Do the steps above look correct or am I missing something?
Any help is appreciated as I've be staring at this for quite a while now
and I'm out of ideas :)
Thanks,
Jonathan
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
