/// <summary> /// Update the Authorization Data part in Ticket with new value. /// </summary> /// <param name="ticket">Ticket to be updated with new authorizationData</param> /// <param name="key">The key that encrypts ticket part.</param> /// <param name="authorizationData">New authorizationData to update.</param> public static void UpdateAuthDataInTicket(Ticket ticket, byte[] key, AuthorizationData authorizationData) { EncryptionType encryptType = (EncryptionType)ticket.enc_part.etype.Value; byte[] clearText = KerberosUtility.Decrypt( encryptType, key, ticket.enc_part.cipher.ByteArrayValue, (int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket); // Decode the ticket. Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(clearText); EncTicketPart encTicketPart = new EncTicketPart(); encTicketPart.BerDecode(decodeBuffer); // Set with new authorization data encTicketPart.authorization_data = authorizationData; Asn1BerEncodingBuffer ticketBerBuffer = new Asn1BerEncodingBuffer(); encTicketPart.BerEncode(ticketBerBuffer, true); byte[] cipherData = KerberosUtility.Encrypt( encryptType, key, ticketBerBuffer.Data, (int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket); ticket.enc_part = new EncryptedData(new KerbInt32((int)encryptType), null, new Asn1OctetString(cipherData)); }
/// <summary> /// Decode GSSAPI token to AP-REP /// </summary> /// <param name="token">GSSAPI token</param> /// <returns></returns> private KerberosApResponse GetApResponseFromToken(byte[] token, KerberosConstValue.GSSToken gssToken = KerberosConstValue.GSSToken.GSSSPNG) { if (gssToken == KerberosConstValue.GSSToken.GSSSPNG) { token = KerberosUtility.DecodeNegotiationToken(token); } if (token[0] == KerberosConstValue.KERBEROS_TAG) { byte[] apData = KerberosUtility.VerifyGssApiTokenHeader(token, this.client.OidPkt); // Check if it has a two-byte tok_id if (null == apData || apData.Length <= sizeof(TOK_ID)) { throw new FormatException( "Data length is shorter than a valid AP Response data length."); } // verify TOK_ID byte[] tokenID = ArrayUtility.SubArray <byte>(apData, 0, sizeof(TOK_ID)); Array.Reverse(tokenID); TOK_ID id = (TOK_ID)BitConverter.ToUInt16(tokenID, 0); if (!id.Equals(TOK_ID.KRB_AP_REP)) { throw new Exception("ApResponse Token ID should be KRB_AP_REP"); } // Get apBody token = ArrayUtility.SubArray(apData, sizeof(TOK_ID)); } KerberosApResponse apRep = new KerberosApResponse(); apRep.FromBytes(token); // Get the current encryption type, cipher data EncryptionType encryptType = (EncryptionType)apRep.Response.enc_part.etype.Value; byte[] cipherData = apRep.Response.enc_part.cipher.ByteArrayValue; byte[] sessionKey = this.Context.ApSessionKey.keyvalue.ByteArrayValue; // decrypt enc_part to clear text byte[] clearText = KerberosUtility.Decrypt(encryptType, sessionKey, cipherData, (int)KeyUsageNumber.AP_REP_EncAPRepPart); // decode enc_part Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(clearText); apRep.ApEncPart = new EncAPRepPart(); apRep.ApEncPart.BerDecode(decodeBuffer); this.client.UpdateContext(apRep); return(apRep); }
/// <summary> /// Decrypt the KRB-PRIV /// </summary> /// <param name="subkey">the subkey used to decrypt</param> public void DecryptKrbPriv(EncryptionKey subkey) { byte[] priv = KerberosUtility.Decrypt( (EncryptionType)subkey.keytype.Value, subkey.keyvalue.ByteArrayValue, krb_priv.enc_part.cipher.ByteArrayValue, (int)KeyUsageNumber.KRB_PRIV_EncPart); Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(priv); priv_enc_part.BerDecode(decodeBuffer); }
public void Decrypt(byte[] armorKey) { ArmorKey = armorKey; var decrypted = KerberosUtility.Decrypt( (Cryptographic.EncryptionType)EncFastReq.etype.Value, armorKey, EncFastReq.cipher.ByteArrayValue, (int)KeyUsageNumber.FAST_ENC); KrbFastReq krbFastReq = new KrbFastReq(); krbFastReq.BerDecode(new Asn1DecodingBuffer(decrypted)); FastReq = new KerberosFastRequest(krbFastReq); }
private void DecryptTicket(EncryptionType type, byte[] sessionKey) { var ticketEncPartRawData = KerberosUtility.Decrypt( type, sessionKey, Response.ticket.enc_part.cipher.ByteArrayValue, (int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket); TicketEncPart = new EncTicketPart(); TicketEncPart.BerDecode(new Asn1DecodingBuffer(ticketEncPartRawData)); KerberosUtility.OnDumpMessage("KRB5:TicketEncPart", "Encrypted Ticket in TGS-REP", KerberosUtility.DumpLevel.PartialMessage, ticketEncPartRawData); }
public void DecryptTgsResponse(byte[] key, KeyUsageNumber usage = KeyUsageNumber.TGS_REP_encrypted_part) { var encryptType = (EncryptionType)Response.enc_part.etype.Value; var encPartRawData = KerberosUtility.Decrypt( encryptType, key, Response.enc_part.cipher.ByteArrayValue, (int)usage); EncPart = new EncTGSRepPart(); EncPart.BerDecode(new Asn1DecodingBuffer(encPartRawData)); KerberosUtility.OnDumpMessage("KRB5:TGS-REP(enc-part)", "Encrypted part of TGS-REP", KerberosUtility.DumpLevel.PartialMessage, encPartRawData); }
/// <summary> /// Get Authorization Data from Ticket in AS/TGS response /// </summary> /// <param name="ticket">Ticket part that includes Auth Data.</param> /// <param name="key">The key that encrypts ticket part.</param> /// <returns>Authorization Data in the ticket</returns> public static AuthorizationData GetAuthDataInTicket(Ticket ticket, byte[] key) { EncryptionType encryptType = (EncryptionType)ticket.enc_part.etype.Value; byte[] clearText = KerberosUtility.Decrypt( encryptType, key, ticket.enc_part.cipher.ByteArrayValue, (int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket); // Decode the ticket. Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(clearText); EncTicketPart encTicketPart = new EncTicketPart(); encTicketPart.BerDecode(decodeBuffer); return(encTicketPart.authorization_data); }
public KerberosFastResponse GetKerberosFastRep(EncryptionKey key) { var armoredRep = GetArmoredRep(); var decrypted = KerberosUtility.Decrypt((EncryptionType)key.keytype.Value, key.keyvalue.ByteArrayValue, armoredRep.enc_fast_rep.cipher.ByteArrayValue, (int)KeyUsageNumber.FAST_REP ); KerberosUtility.OnDumpMessage("KRB5:KrbFastArmoredRep(enc-fast-req)", "An encrypted KrbFastRep in PA_FX_FAST_REPLY", KerberosUtility.DumpLevel.PartialMessage, decrypted); KrbFastResponse fastrep = new KrbFastResponse(); fastrep.BerDecode(new Asn1DecodingBuffer(decrypted)); return(new KerberosFastResponse(fastrep)); }
public void Decrypt(byte[] key) { var encryptType = (EncryptionType)Response.enc_part.etype.Value; var decoded = KerberosUtility.Decrypt( encryptType, key, Response.enc_part.cipher.ByteArrayValue, (int)KeyUsageNumber.AP_REP_EncAPRepPart); KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC", "Encrypted Timestamp Pre-authentication", KerberosUtility.DumpLevel.PartialMessage, decoded); ApEncPart = new EncAPRepPart(); ApEncPart.BerDecode(new Asn1DecodingBuffer(decoded)); KerberosUtility.OnDumpMessage("KRB5:AP-REP(enc-part)", "Encrypted part of AS-REP", KerberosUtility.DumpLevel.PartialMessage, decoded); }
private void DecryptAsResponse(byte[] key) { var encryptType = (EncryptionType)Response.enc_part.etype.Value; int keyUsage = (int)KeyUsageNumber.AS_REP_ENCRYPTEDPART; if (encryptType == EncryptionType.RC4_HMAC) { keyUsage = (int)KeyUsageNumber.TGS_REP_encrypted_part; } var encPartRawData = KerberosUtility.Decrypt( encryptType, key, Response.enc_part.cipher.ByteArrayValue, keyUsage); Asn1DecodingBuffer buf = new Asn1DecodingBuffer(encPartRawData); Asn1Tag tag = null; Asn1StandardProcedure.TagBerDecode(buf, out tag); //Some implementations unconditionally send an encrypted EncTGSRepPart in the field //regardless of whether the reply is an AS-REP or a TGS-REP.([RFC4120] Section 5.4.2) if (tag.TagValue == 25) //EncAsRepPart { EncPart = new EncASRepPart(); } else if (tag.TagValue == 26) //EncTgsRepPart { EncPart = new EncTGSRepPart(); } else { throw new Exception("Unknown tag number"); } EncPart.BerDecode(new Asn1DecodingBuffer(encPartRawData)); KerberosUtility.OnDumpMessage("KRB5:AS-REP(enc-part)", "Encrypted part of AS-REP", KerberosUtility.DumpLevel.PartialMessage, encPartRawData); }
public override bool Decrypt(params SecurityBuffer[] securityBuffers) { return(KerberosUtility.Decrypt(client, securityBuffers)); }