[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AP REQUEST decrypt using shared secret

To: heimdal-discuss@sics.se, Tom Ghyselinck <tom.ghyselinck@excentis.com>
Subject: Re: AP REQUEST decrypt using shared secret
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Mon, 28 Jan 2008 23:37:15 +0100
In-Reply-To: <1201503996.3173.51.camel@pingu.office.excentis.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <1201253844.3173.41.camel@pingu.office.excentis.com> <1201503996.3173.51.camel@pingu.office.excentis.com>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>

Hello

Does the keytab work if you use a FILE based keytab ?
How do you know the key is correct ?

Love

28 jan 2008 kl. 08.06 skrev Tom Ghyselinck:

> Hello,
>
> I'm having a problem decrypting a ticket from an AP REQUEST using
> krb5_rd_req().
>
> I'm trying to use a MEMORY keytab which seems to work, but my  
> problem is
> the keyblock keyvalue.
>
> We have a shared key between the KDC and our AP REQUEST parser...
> The ticket is using des3-cbc-md5 encryption.
>
> I tried several things to use our shared key:
> - setting the keyblock directly (with the exact hex value
>  of the key string, keytab.keyvalue.length + keytab.keyvalue.data )
> - using krb5_keyblock_init(),
> - Converting the key value using krb5_string_to_key(),
> - Converting the key value using krb5_string_to_key_salt(),
> - ...
>
> But all tries got me into the same result:
>
> 'krb5_rd_req: Decrypt integrity check failed'
>
> Is there any special format for the keyvalue I have to use?
> Or should it be OK when I use krb5_string_to_key?
>
> while debugging a little bit myself,
> the error seems to come from the method:
>
> static krb5_error_code
> verify_checksum(krb5_context context,
>                krb5_crypto crypto,
>                unsigned usage, /* not krb5_key_usage */
>                void *data,
>                size_t len,
>                Checksum *cksum)
> during:
>
>    if(c.checksum.length != cksum->checksum.length ||
>       memcmp(c.checksum.data, cksum->checksum.data,
> c.checksum.length))
>
> the checksum length was always ok, but the data failed...
>
> Anyone has any ideas?
>
> Thanks!
>
> Tom Ghyselinck.
>
> -- 
>
> +---------------------------------------------
> | Please note new email address: tom.ghyselinck@excentis.com
> |
> | Tom Ghyselinck
> | Software Developer
> | Excentis N.V.
> | Gildestraat 8 B-9000 Gent
> | Tel: +32 9 269 22 91 - Fax: +32 9 329 31 74
> +---------------------------------------------
>
>

Follow-Ups:
- Re: AP REQUEST decrypt using shared secret
  - From: Tom Ghyselinck <tom.ghyselinck@excentis.com>

References:
- AP REQUEST decrypt using shared secret
  - From: Tom Ghyselinck <tom.ghyselinck@excentis.com>

Prev by Date: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Next by Date: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Prev by thread: AP REQUEST decrypt using shared secret
Next by thread: Re: AP REQUEST decrypt using shared secret
Index(es):
- Date
- Thread