Assignment 3 : Applet Programming - Kerberos/Smartcard Integration

2/1/2000, Naomaru Itoi (
(Updated 2/12/2000)
(Updated 11/5/2000)

In this assignment, you are to learn card side programming by implementing a Kerberos client applet in Cyberflex Access. You are asked to write the Java applet which receives the encrypted AS_REP from kinit, decrypts it, and returns the plain text AS_REP to the host. Please submit the binary so that we can test it.

Problem Description

  1. Write the Java Applet
    Write the Java applet which decrypts the AS_REP sent by kinit. With the -E (port_num) option, /afs/ sends the encrypted AS_REP to the card.
    % ./kinit -E 1 -d ./ itoi@UMICH.EDU
    kinit sends the following APDU to the card:
    03 10 00 00 len
    Where len is the length of the encrypted AS_REP, and the data is the encrypted AS_REP itself. Your applet should decrypt this data with key number 6 in the key file (3f00/0011), and return the plain text AS_REP to the host. kinit will then obtain the response via the get_response APDU.
    AS_REP is encrypted with the client key by DES CBC mode. It is typically 200 - 250 byte long. The initialization vector of CBC should be set to 0.


  2. Load the Applet
    First, load the applet like we did in Assignment #1. Then, set the loaded applet as default.
    Since kinit does not select an applet, after loading your applet, you have to set your applet as "default applet" so that it is automatically selected after the card is reset. The js command of pay makes a selected applet default. You need to select an applet by its file name of its data container, instead of AID, (like jl and jp do) for this to work. Here is an example of command sequence to load and select an applet before running kinit .
    pay> 2
    pay> jq
    pay> ju
    pay> jl Krb.bin
    pay> jq
    pay> f 3f.00
    pay> f 77.78
    pay> js
    pay> q
    To unelect your applet (and therefore reselect the default loader), use jq command in pay .

  3. Obtain and Load Keys
    kinit with -K option prints out your key when you are authenticated.
    xor% kinit -K itoi@UMICH.EDU
    Password for itoi@UMICH.EDU:
    11 22 33 44 55 66 77 88
    Then load the printed key into the card with "jk" command of pay.
    pay> jk 1
    class F0
    Verify key: 90 00 ok
    ca_load_key buf=jk 1

    key 0 : <- paste the 8 byte key here
  4. Test it
    Use kinit and klist in sc_seminar/bin/
    xor% pwd
    xor% ./kinit -d ./ -E 1 itoi@UMICH.EDU
    decrypt TGS_REP (224)

    xor% ./klist
    Ticket cache: /tmp/tkt10698020706m.oA_
    Default principal: itoi@UMICH.EDU

    Valid starting Expires Service principal
    06 Nov 00 15:37:04 06 Nov 00 16:02:03 krbtgt/UMICH.EDU@UMICH.EDU
    If you want to try, you can use aklog to convert the K5 ticket to AFS token, and krb524init to Krb4 ticket (to use kpop, for example).


    All right, another assignment is done. As always, send questions to If you want to do more development / research on the project, please let us know.