public PaEncTimeStamp(string timeStamp, int usec, EncryptionType eType, string password, string salt) { this.TimeStamp = timeStamp; this.Usec = usec; byte[] key = KeyGenerator.MakeKey(eType, password, salt); this.Key = new EncryptionKey(new KerbInt32((long)eType), new Asn1OctetString(key)); // create a timestamp PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec)); Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer(); paEncTsEnc.BerEncode(currTimeStampBuffer); var rawData = currTimeStampBuffer.Data; KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC", "Encrypted Timestamp Pre-authentication", KerberosUtility.DumpLevel.PartialMessage, rawData); // encrypt the timestamp byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value, this.Key.keyvalue.ByteArrayValue, rawData, (int)KeyUsageNumber.PA_ENC_TIMESTAMP); // create an encrypted timestamp PA_ENC_TIMESTAMP paEncTimeStamp = new PA_ENC_TIMESTAMP(new KerbInt32(this.Key.keytype.Value), null, new Asn1OctetString(encTimeStamp)); Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer(); paEncTimeStamp.BerEncode(paEncTimestampBuffer, true); Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENC_TIMESTAMP), new Asn1OctetString(paEncTimestampBuffer.Data)); }
private KDC_REQ_BODY CreateKdcRequestBody(KdcOptions kdcOptions, PrincipalName sName, AuthorizationData authData = null) { KDC_REQ_BODY kdcReqBody = this.CreateKdcRequestBody(kdcOptions, sName); if (authData == null) { return(kdcReqBody); } Asn1BerEncodingBuffer asnEncBuffer = new Asn1BerEncodingBuffer(); authData.BerEncode(asnEncBuffer, true); EncryptedData encryptData = new EncryptedData(); encryptData.etype = new KerbInt32(0); byte[] encryptAsnEncoded = asnEncBuffer.Data; if (this.Context.SessionKey != null && this.Context.SessionKey.keytype != null && this.Context.SessionKey.keyvalue != null && this.Context.SessionKey.keyvalue.Value != null) { encryptAsnEncoded = KerberosUtility.Encrypt( (EncryptionType)this.Context.SessionKey.keytype.Value, this.Context.SessionKey.keyvalue.ByteArrayValue, encryptAsnEncoded, (int)KeyUsageNumber.TGS_REQ_KDC_REQ_BODY_AuthorizationData ); encryptData.etype = new KerbInt32(this.Context.SessionKey.keytype.Value); } encryptData.cipher = new Asn1OctetString(encryptAsnEncoded); kdcReqBody.enc_authorization_data = encryptData; return(kdcReqBody); }
/// <summary> /// Update the Authorization Data part in Ticket with new value. /// </summary> /// <param name="ticket">Ticket to be updated with new authorizationData</param> /// <param name="key">The key that encrypts ticket part.</param> /// <param name="authorizationData">New authorizationData to update.</param> public static void UpdateAuthDataInTicket(Ticket ticket, byte[] key, AuthorizationData authorizationData) { EncryptionType encryptType = (EncryptionType)ticket.enc_part.etype.Value; byte[] clearText = KerberosUtility.Decrypt( encryptType, key, ticket.enc_part.cipher.ByteArrayValue, (int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket); // Decode the ticket. Asn1DecodingBuffer decodeBuffer = new Asn1DecodingBuffer(clearText); EncTicketPart encTicketPart = new EncTicketPart(); encTicketPart.BerDecode(decodeBuffer); // Set with new authorization data encTicketPart.authorization_data = authorizationData; Asn1BerEncodingBuffer ticketBerBuffer = new Asn1BerEncodingBuffer(); encTicketPart.BerEncode(ticketBerBuffer, true); byte[] cipherData = KerberosUtility.Encrypt( encryptType, key, ticketBerBuffer.Data, (int)KeyUsageNumber.AS_REP_TicketAndTGS_REP_Ticket); ticket.enc_part = new EncryptedData(new KerbInt32((int)encryptType), null, new Asn1OctetString(cipherData)); }
/// <summary> /// Client initialize with server token /// </summary> /// <param name="serverToken">Server token</param> private void ClientInitialize(byte[] serverToken) { KerberosApResponse apRep = this.GetApResponseFromToken(serverToken, KerberosConstValue.GSSToken.GSSAPI); this.VerifyApResponse(apRep); token = null; if ((contextAttribute & ClientSecurityContextAttribute.DceStyle) == ClientSecurityContextAttribute.DceStyle) { KerberosApResponse apResponse = this.CreateApResponse(null); var apBerBuffer = new Asn1BerEncodingBuffer(); if (apResponse.ApEncPart != null) { // Encode enc_part apResponse.ApEncPart.BerEncode(apBerBuffer, true); EncryptionKey key = this.Context.ApSessionKey; if (key == null || key.keytype == null || key.keyvalue == null || key.keyvalue.Value == null) { throw new ArgumentException("Ap session key is not valid"); } // Encrypt enc_part EncryptionType eType = (EncryptionType)key.keytype.Value; byte[] cipherData = KerberosUtility.Encrypt( eType, key.keyvalue.ByteArrayValue, apBerBuffer.Data, (int)KeyUsageNumber.AP_REP_EncAPRepPart); apResponse.Response.enc_part = new EncryptedData(new KerbInt32((int)eType), null, new Asn1OctetString(cipherData)); } // Encode AP Response apResponse.Response.BerEncode(apBerBuffer, true); if ((this.Context.ChecksumFlag & ChecksumFlags.GSS_C_DCE_STYLE) == ChecksumFlags.GSS_C_DCE_STYLE) { // In DCE mode, the AP-REP message MUST NOT have GSS-API wrapping. // It is sent as is without encapsulating it in a header ([RFC2743] section 3.1). this.token = apBerBuffer.Data; } else { this.token = KerberosUtility.AddGssApiTokenHeader(ArrayUtility.ConcatenateArrays( BitConverter.GetBytes(KerberosUtility.ConvertEndian((ushort)TOK_ID.KRB_AP_REP)), apBerBuffer.Data)); } } this.needContinueProcessing = false; // SEC_E_OK; }
/// <summary> /// Create an instance. /// </summary> public KpasswordRequest(KerberosTicket ticket, Authenticator authenticator, string newPwd, bool isAuthErrorRequired = false) { //Create KerberosApRequest long pvno = KerberosConstValue.KERBEROSV5; APOptions option = new APOptions(KerberosUtility.ConvertInt2Flags((int)ApOptions.None)); KerberosApRequest ap_req = new KerberosApRequest(pvno, option, ticket, authenticator, KeyUsageNumber.AP_REQ_Authenticator); //Create KRB_PRIV ChangePasswdData pwd_data = new ChangePasswdData(new Asn1OctetString(newPwd), null, null); priv_enc_part = new EncKrbPrivPart(); priv_enc_part.user_data = pwd_data.newpasswd; priv_enc_part.usec = authenticator.cusec; priv_enc_part.seq_number = authenticator.seq_number; priv_enc_part.s_address = new HostAddress(new KerbInt32((int)AddressType.NetBios), new Asn1OctetString(Encoding.ASCII.GetBytes(System.Net.Dns.GetHostName()))); Asn1BerEncodingBuffer asnBuffPriv = new Asn1BerEncodingBuffer(); priv_enc_part.BerEncode(asnBuffPriv, true); byte[] encAsnEncodedPriv = null; if (!isAuthErrorRequired) { encAsnEncodedPriv = KerberosUtility.Encrypt((EncryptionType)authenticator.subkey.keytype.Value, authenticator.subkey.keyvalue.ByteArrayValue, asnBuffPriv.Data, (int)KeyUsageNumber.KRB_PRIV_EncPart); } else { encAsnEncodedPriv = KerberosUtility.Encrypt((EncryptionType)authenticator.subkey.keytype.Value, authenticator.subkey.keyvalue.ByteArrayValue, asnBuffPriv.Data, (int)KeyUsageNumber.None); } var encrypted = new EncryptedData(); encrypted.etype = new KerbInt32(authenticator.subkey.keytype.Value); encrypted.cipher = new Asn1OctetString(encAsnEncodedPriv); KRB_PRIV krb_priv = new KRB_PRIV(new Asn1Integer(pvno), new Asn1Integer((long)MsgType.KRB_PRIV), encrypted); //Calculate the msg_length and ap_req_length krb_priv.BerEncode(privBuffer, true); ap_req.Request.BerEncode(apBuffer, true); version = 0x0001; ap_req_length = (ushort)apBuffer.Data.Length; msg_length = (ushort)(ap_req_length + privBuffer.Data.Length + 3 * sizeof(ushort)); //Convert Endian version = KerberosUtility.ConvertEndian(version); ap_req_length = KerberosUtility.ConvertEndian(ap_req_length); msg_length = KerberosUtility.ConvertEndian(msg_length); }
/// <summary> /// Create an instance. /// </summary> public KerberosApRequest(long pvno, APOptions ap_options, KerberosTicket ticket, Authenticator authenticator, KeyUsageNumber keyUsageNumber) { Asn1BerEncodingBuffer asnBuffPlainAuthenticator = new Asn1BerEncodingBuffer(); authenticator.BerEncode(asnBuffPlainAuthenticator, true); KerberosUtility.OnDumpMessage("KRB5:Authenticator", "Authenticator in AP-REQ structure", KerberosUtility.DumpLevel.PartialMessage, asnBuffPlainAuthenticator.Data); byte[] encAsnEncodedAuth = KerberosUtility.Encrypt((EncryptionType)ticket.SessionKey.keytype.Value, ticket.SessionKey.keyvalue.ByteArrayValue, asnBuffPlainAuthenticator.Data, (int)keyUsageNumber); var encrypted = new EncryptedData(); encrypted.etype = new KerbInt32(ticket.SessionKey.keytype.Value); encrypted.cipher = new Asn1OctetString(encAsnEncodedAuth); long msg_type = (long)MsgType.KRB_AP_REQ; Request = new AP_REQ(new Asn1Integer(pvno), new Asn1Integer(msg_type), ap_options, ticket.Ticket, encrypted); Authenticator = authenticator; }
public PaEncryptedChallenge(EncryptionType type, string timeStamp, int usec, EncryptionKey armorKey, EncryptionKey userLongTermKey) { this.TimeStamp = timeStamp; this.Usec = usec; var keyvalue = KeyGenerator.KrbFxCf2( (EncryptionType)armorKey.keytype.Value, armorKey.keyvalue.ByteArrayValue, userLongTermKey.keyvalue.ByteArrayValue, "clientchallengearmor", "challengelongterm"); switch (type) { case EncryptionType.AES256_CTS_HMAC_SHA1_96: { var key = new EncryptionKey(new KerbInt32((long)EncryptionType.AES256_CTS_HMAC_SHA1_96), new Asn1OctetString(keyvalue)); this.Key = key; break; } case EncryptionType.RC4_HMAC: { var key = new EncryptionKey(new KerbInt32((long)EncryptionType.RC4_HMAC), new Asn1OctetString(keyvalue)); this.Key = key; break; } default: throw new ArgumentException("Unsupported encryption type."); } // create a timestamp PA_ENC_TS_ENC paEncTsEnc = new PA_ENC_TS_ENC(new KerberosTime(this.TimeStamp), new Microseconds(this.Usec)); Asn1BerEncodingBuffer currTimeStampBuffer = new Asn1BerEncodingBuffer(); paEncTsEnc.BerEncode(currTimeStampBuffer); var rawData = currTimeStampBuffer.Data; KerberosUtility.OnDumpMessage("KRB5:PA-ENC-TS-ENC", "Encrypted Timestamp Pre-authentication", KerberosUtility.DumpLevel.PartialMessage, rawData); // encrypt the timestamp byte[] encTimeStamp = KerberosUtility.Encrypt((EncryptionType)this.Key.keytype.Value, this.Key.keyvalue.ByteArrayValue, rawData, (int)KeyUsageNumber.ENC_CHALLENGE_CLIENT); EncryptedChallenge encryptedChallenge = new EncryptedChallenge(new KerbInt32((long)this.Key.keytype.Value), null, new Asn1OctetString(encTimeStamp)); Asn1BerEncodingBuffer paEncTimestampBuffer = new Asn1BerEncodingBuffer(); encryptedChallenge.BerEncode(paEncTimestampBuffer, true); Data = new PA_DATA(new KerbInt32((long)PaDataType.PA_ENCRYPTED_CHALLENGE), new Asn1OctetString(paEncTimestampBuffer.Data)); }
public override void Encrypt(params SecurityBuffer[] securityBuffers) { KerberosUtility.Encrypt(client, securityBuffers); }