[1877] in Kerberos_V5_Development
Re: bug in the rfc and in the kdc
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Fri Oct 25 15:11:09 1996
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Fri, 25 Oct 1996 14:45:32 EDT."
<9610251845.AA13949@dcl.MIT.EDU>
Date: Fri, 25 Oct 1996 15:09:42 EDT
From: Marc Horowitz <marc@MIT.EDU>
>> Well, if you take the union of the two constraints, it's not a
>> contradiction... but yes, the text should be fixed to say that the
>> checksum must be keyed AND collision proof, per section 3.3.2.
I can't think of any good reason why it needs to be keyed. The
checksum is inside the authenticator, which is encrypted itself. I
suppose keying it could protect against some obscure cryptanalytic
attack.
>> Huh? Section 5.4.2 is quite explicit. Use the sub-session key if
>> present, otherwise use the ticket-granting ticket key.
I don't have my original messages around anymore, but there's clearly
some confusion. I'm talking about the Checksum in the Authenticator
in the PA-TGS-REQ padata of the TGS-REQ. Section 5.4.2 is explicit,
but it talks about the TGS-REP.
>> Our implementation isn't checking the sub-session key in the
>> authenticator; this is a bug. But adding this shouldn't be all that
>> difficult. (We need to modify comp_cksum() in kdc_util.c)
comp_cksum() verifies the Checksum in the TGS-REQ. It is not used in
generating the TGS-REP. It uses the key in the Ticket, which seems
like as good a key as any, but this should be made explicit.
The only text I can find describing the Checksum in the TGS-REQ is
here, from section 5.4.1:
padata The padata (pre-authentication data) field contains a of
authentication information which may be needed before
credentials can be issued or decrypted. In the case of
requests for additional tickets (KRB_TGS_REQ), this field
will include an element with padata-type of PA-TGS-REQ and
data of an authentication header (ticket-granting ticket
and authenticator).
> The checksum in the authenticator
> (which must be collisionproof) is to be computed over the
> KDC-REQ-BODY encoding.
In most requests for initial
authentication (KRB_AS_REQ) and most replies (KDC-REP), the
padata field will be left out.
and here, from section 3.3.2:
Once the accompanying ticket has been decrypted, the user-supplied
checksum in the Authenticator must be verified against the contents
of the request, and the message rejected if the checksums do not
match (with an error code of KRB_AP_ERR_MODIFIED) or if the checksum
is not keyed or not collision-proof (with an error code of
KRB_AP_ERR_INAPP_CKSUM). If the checksum type is not supported, the
KDC_ERR_SUMTYPE_NOSUPP error is returned.
None of this mentions what key is to be used if the checksum is keyed.
Marc
