Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5393
| From | Michael B Allen <ioplex@gmail.com> |
|---|---|
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: AS-REP |
| Date | 2025-03-07 08:20 -0500 |
| Organization | TNet Consulting |
| Message-ID | <mailman.170.1741353671.2322.kerberos@mit.edu> (permalink) |
| References | <422792771.640057.1741317941288.ref@mail.yahoo.com> <422792771.640057.1741317941288@mail.yahoo.com> <CAGMFw4gn+uRti94aZkZ9GNo8P7a0WHN081shwd3Yj=4XMx1zmg@mail.gmail.com> |
On Thu, Mar 6, 2025 at 10:26 PM Jim Shi via Kerberos <kerberos@mit.edu> wrote: > Hi, is there easy way to check if AS-REP is valid or not?that is, is there > is tool or stand alone program to check? > I don't know about an existing tool but in theory an AS-REP is pretty self-contained which makes it "easy" relatively speaking. You just need the base key (like from a keytab) to decrypt it and thus validate it. But you would need a kerberos lib to help because it needs to generate a so-called DK key or derived key which is a non-trivial bit of code. Meaning it's not as simple as running it through AES-whatever. There is a nonce generated in the AS-REQ that's supposed to be checked but if you're just validating an AS-REQ I think it would be ok to ignore it since it's primary purpose is to mix-up the ciphertext so that the KDC can detect a replay and you're not a KDC. Knowing this, in theory you could probably make a tool in a 100 lines of python assuming there's a decent python kerberos lib out there. Mike -- Michael B Allen Java AD DS Integration https://www.ioplex.com/ <http://www.ioplex.com/>
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: AS-REP Michael B Allen <ioplex@gmail.com> - 2025-03-07 08:20 -0500
csiph-web