Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LTPA token decryption

246 views
Skip to first unread message

jso...@gmail.com

unread,
Aug 25, 2006, 8:16:35 AM8/25/06
to
Hello,

I am trying to decode an LTPA token generated by WebSEAL using a key coming from Websphere. The key file exported from Websphere contains a string noted as "com.ibm.websphere.ltpa.3DESKey", which is unfortenately 45 bytes long.
Assuming it is Base 64 encoded, the resulting byte array is 33 bytes long, which is still longer than a standard 3DES key (24 bytes).
Since websphere asks a password to generate the key file (which remains in clear text), I guess the password is used to alter ni some way the 3DES key.

Does anyone know how to extract the real 3DES key ?

Thanks

Regards

Jso

Paul Ilechko

unread,
Aug 25, 2006, 8:54:04 AM8/25/06
to
jso...@gmail.com wrote:
> Hello,
>
> I am trying to decode an LTPA token generated by WebSEAL using a key coming from Websphere.

Why ?

jso...@gmail.com

unread,
Aug 25, 2006, 12:06:34 PM8/25/06
to
To authenticate the user on a third party system which does not understand LTPA.

Paul Ilechko

unread,
Aug 25, 2006, 2:24:10 PM8/25/06
to
jso...@gmail.com wrote:
> To authenticate the user on a third party system which does not understand LTPA.

So, the answer to that is NOT to crack the LTPA token. What does the
remote system need for authentication data? If they need userid and
password you're screwed anyway, as the password is NOT in the LTPA
token. If they only need userid you can get that from the WAS runtime
with standard J2EE API calls. Perhaps you can describe the scenario in
more detail ?

0 new messages