Re: PB with a kerberos PDU

Fri, 15 Jun 2007 16:01:14 -0700 

From RFC 4120 :

AS-REQ          ::= [APPLICATION 10] KDC-REQ  => 0x6A LL

KDC-REQ         ::= SEQUENCE {  => 0x03 LL
       -- NOTE: first tag is [1], not [0]
       pvno            [1] INTEGER (5) , => 0xA1 0x03 0x02 0x01 0x05
       msg-type        [2] INTEGER (10 -- AS -- | 12 -- TGS --), =>
0xA2 0x03 0x02 0x01 0x0A (AS)
       padata          [3] SEQUENCE OF PA-DATA OPTIONAL => 0xA3 LL 0x30 LL
       ...

PA-DATA         ::= SEQUENCE { => 0x30 LL
       -- NOTE: first tag is [1], not [0]
       padata-type     [1] Int32, => 0xA1 0x03 0x02 0x01 0x02

with :
padata-value
     Usually contains the DER encoding of another type; the padata-type
     field identifies which type is encoded here.

     padata-type  Name             Contents of padata-value

     ...
     2            pa-enc-timestamp DER encoding of PA-ENC-TIMESTAMP
     ...

and

PA-ENC-TIMESTAMP        ::= EncryptedData -- PA-ENC-TS-ENC

  PA-ENC-TS-ENC           ::= SEQUENCE {
          patimestamp     [0] KerberosTime -- client's time --,
          pausec          [1] Microseconds OPTIONAL
  }

So the padataValue should be 0xA2 LL 0x30 LL (SEQUENCE) followed by :
0xA0 LL 0x18 (GeneralizedTime) 0x0F [time]

no ?

Where do I make a mistake ?

On 6/16/07, Enrique Rodriguez <[EMAIL PROTECTED]> wrote:

On 6/15/07, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote:
> Enrique Rodriguez a écrit :
> > On 6/15/07, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote:
> >> ...
> >> A clue, anyone ?
> >
> > The type says it is a "pa-enc-timestamp" but it is actually an
> > EncryptedData.  You have to decrypt it.  The result of the decryption
> > will be ASN.1 that needs to be further decoded into the PA-ENC-TS-ENC
> > SEQUENCE.
>
> Yes, but the content is not a PA-ENC-TS-ENC, because this structure does
> not have an INTEGER in first position. The patimestamp is supposed to be
> a GeneralizedTime
>
> Something might be wrong...

Until it is decrypted, you are looking at an EncryptedData, which does
have an INTEGER in the first position:

   EncryptedData   ::= SEQUENCE {
           etype   [0] Int32 -- EncryptionType --,
           kvno    [1] UInt32 OPTIONAL,
           cipher  [2] OCTET STRING -- ciphertext
   }

The OCTET STRING in position 2 must be decrypted to reveal the ASN.1
for the timestamp.

Enrique




--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Reply via email to