Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

PKINIT: Manual recovery of the AS key and decryption of the KDC-REP

8 views
Skip to first unread message

Thomas Bourbaki

unread,
May 16, 2013, 11:47:04 AM5/16/13
to kerb...@mit.edu
Hi,

In order to better understand Kerberos and PKINIT, I am trying to do a
manual decryption of the AS exchange when RSA is used (not Diffie-Hellman).

I am able to manually decrypt the exchange to the point where I hold the AS
reply key.
However, I am not able to go beyond. This is why I'd like some help.

I perform the following steps:
- Parse the PA_PK_AS_REP:
- Get the wrapped key (3DES) from the CMS EnveloppedData (RecipientInfo)
- Unwrap the transport key (3DES) using my RSA private key (padding
PKCS1 v1.5)
- Decrypt the encryptedContent from the CMS using {3DES transport key,
IV from contentEncryptionAlgorithm}
- Retrieve the key (AES 256 in my case) from the decrypted CMS
SignedData element.

If I understood the RFC 4556, my AES key is the "AS reply key" which can be
used to decrypt the enc-part of the KDC-REP.
Once decrypted, it would give me access to the EncKDCRepPart ASN.1
structure.

My guess is that I can't directly use the retrieved AES key to perform an
AES-256-CTS decryption.
So, what's missing ?

I need the following information:
- What is the IV used in the decryption on the enc-part ?
- Is it a NULL IV ?
- Is a derivation function applied on the key ? (RFC 3962 mentions =>
DK(key, "kerberos") ?)

Thanks

Regards

Thomas.

Greg Hudson

unread,
May 16, 2013, 1:51:58 PM5/16/13
to Thomas Bourbaki, kerb...@mit.edu
On 05/16/2013 11:47 AM, Thomas Bourbaki wrote:
> I need the following information:
> - What is the IV used in the decryption on the enc-part ?
> - Is it a NULL IV ?

It's a null IV. Cipher state chaining isn't commonly used in Kerberos,
so the default cipher state is used for almost all encryptions and
decryptions.

> - Is a derivation function applied on the key ? (RFC 3962 mentions =>
> DK(key, "kerberos") ?)

Yes. A key usage value of 3 is used for the AS-REP encrypted part; see
RFC 4120 section 5.4.2 (enc-part) and 7.5.1.

0 new messages