1. Forum
  2. USENET
  3. comp.protocols.kerberos

  • AS-REP

    From Jim Shi@hjshi@yahoo.com to kerberos@mit.edu on Fri Mar 7 03:25:41 2025
    From Newsgroup: comp.protocols.kerberos

    Hi, is there easy way to check if AS-REP is valid or not?that is, is there is tool or stand alone program to check?
    Thanks
    Jim
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Michael B Allen@ioplex@gmail.com to Jim Shi on Fri Mar 7 08:20:51 2025
    From Newsgroup: comp.protocols.kerberos

    On Thu, Mar 6, 2025 at 10:26rC>PM Jim Shi via Kerberos <kerberos@mit.edu> wrote:
    Hi, is there easy way to check if AS-REP is valid or not?that is, is there
    is tool or stand alone program to check?

    I don't know about an existing tool but in theory an AS-REP is pretty self-contained which makes it "easy" relatively speaking. You just need the base key (like from a keytab) to decrypt it and thus validate it.
    But you would need a kerberos lib to help because it needs to generate a so-called DK key or derived key which is a non-trivial bit of code. Meaning it's not as simple as running it through AES-whatever.
    There is a nonce generated in the AS-REQ that's supposed to be checked but
    if you're just validating an AS-REQ I think it would be ok to ignore it
    since it's primary purpose is to mix-up the ciphertext so that the KDC can detect a replay and you're not a KDC.
    Knowing this, in theory you could probably make a tool in a 100 lines of
    python assuming there's a decent python kerberos lib out there.
    Mike
    --
    Michael B Allen
    Java AD DS Integration
    https://www.ioplex.com/ <http://www.ioplex.com/>
    --- Synchronet 3.21d-Linux NewsLink 1.2