[1876] in Kerberos_V5_Development
Re: bug in the rfc and in the kdc
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Fri Oct 25 14:47:21 1996
Date: Fri, 25 Oct 1996 14:45:32 -0400
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: Marc Horowitz <marc@cygnus.com>
Cc: krbdev@MIT.EDU
In-Reply-To: Marc Horowitz's message of 24 Oct 1996 22:33:22 -0400,
<t53vibz4vt9.fsf@rover.cygnus.com>
From: Marc Horowitz <marc@cygnus.com>
Date: 24 Oct 1996 22:33:22 -0400
Lines: 36
X-Mailer: Gnus v5.3/Emacs 19.34
oh boy. rfc1510 section 3.3.2 states: ...
Thus, the checksum in the authenticator must be keyed and
collision-proof.
rfc1510 section 5.4.1 says:
The checksum in the authenticator
(which must be collisionproof) is to be computed over the
KDC-REQ-BODY encoding.
Which just requires that it be collision-proof. These two section
conflict.
Well, if you take the union of the two constraints, it's not a
contradiction... but yes, the text should be fixed to say that the
checksum must be keyed AND collision proof, per section 3.3.2.
In addition, section 5.4.2 says:
For KRB_TGS_REP, the ciphertext is encrypted in the
sub-session key from the Authenticator, or if absent, the session key
from the ticket-granting ticket used in the request.
The "sub-session key from the Authenticator" is exactly what is
referenced by the kdc implementation when verifying the checksum in
the KDC-REQ. So, in our implementation, this key must be present, or
the kdc will core dump (hmm). The RFC says that this field in the
request is OPTIONAL.
(from a later message)
Ok, this is wrong; the key in the ticket is used to verify the
checksum. (Which key should be used for this is not specified; this
is another bug in the rfc.)
Huh? Section 5.4.2 is quite explicit. Use the sub-session key if
present, otherwise use the ticket-granting ticket key.
Our implementation isn't checking the sub-session key in the
authenticator; this is a bug. But adding this shouldn't be all that
difficult. (We need to modify comp_cksum() in kdc_util.c)
- Ted
