Trouble comparing the PA-REQ-ENC-PA-REP checksum

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Trouble comparing the PA-REQ-ENC-PA-REP checksum

Turner, Jonathan
Hi,

I am trying to implement a client that is compliant with
https://tools.ietf.org/html/rfc6806.html#section-11

The issue I am having is on validating the checksum returned in the PA-Data
from the KDC. Below is the outline of the steps I am taking.

I need the checksum key and the value of the AS-REQ over which to compute
the checksum.
To get the key:
1) Decrypt the encpart of the AS-REP
2) From the decrypted encpart get the key value
3) Derive the key to use for the checksum by using the usage number 56 read
in big-endian and concatenated with 0x99.
4) Call the etype's derive key function with the key and the usage number.
I use the etype corresponding to the type indicated in the key. I'm pretty
sure this derive key function is correct as I use it elsewhere successfully.
To get the value of the AS-REQ
1) ASN1 marshal the AS-REQ sent to get the bytes of the AS-REQ

Now pass the AS-REQ bytes and the key into the hash function of the etype.
Compare the output of this with the bytes returned in the PA-Data's
checksum field.

Do the steps above look correct or am I missing something?

Any help is appreciated as I've be staring at this for quite a while now
and I'm out of ideas :)

Thanks,
Jonathan
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Trouble comparing the PA-REQ-ENC-PA-REP checksum

Greg Hudson
On 04/13/2017 07:18 AM, Turner, Jonathan wrote:
> https://tools.ietf.org/html/rfc6806.html#section-11
[...]
> To get the key:
> 1) Decrypt the encpart of the AS-REP
> 2) From the decrypted encpart get the key value

RFC 6806 says "The checksum key is the reply key", meaning the key used
to encrypt the KDC reply.  The key value inside the EncKDCRepPart is the
ticket session key, which is a different key.  You want to be using the
same protocol key as you would use to decrypt the EncKDCRepPart to
compute the checksum.

> 3) Derive the key to use for the checksum by using the usage number 56 read
> in big-endian and concatenated with 0x99.
> 4) Call the etype's derive key function with the key and the usage number.

Concatenating the big-endian key usage number with 0x99 is an
enctype-specific step in key derivation, albeit one used by multiple
enctypes.  I don't think this is a practical issue.

> Any help is appreciated as I've be staring at this for quite a while now
> and I'm out of ideas :)

I hope I've identified the issue.  If not, the only way I know to debug
these kind of mismatches is to step through two implementations in a
debugger (or adding print statements) until I find a mismatch in the
inputs to a crypto function.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...