Re: arcfour: hmac-md5 vs. md5

[Simon Josefsson]

Elrond <address@hidden> writes:

> Okay,
>
> this is still about TGS. I just noticed, that we have too
> many buttons (parameters) to press and try stuff. So I
> decided to start from scratch and look only at one
> parameter:

Always a good idea!

> arcfour-hmacs default checksum.
> Either hmac-md5 or plain-md5 (MD_RSA_MD5).
> (I modified crypto-rc4.c for this "parameter change").

Ok.

> w2k3-kdc:
>
>       Sending a TGS with hmac-md5 gets me a "Message
>       stream modified" from the w2k3-kdc.

Given your subkey discussion, I suspect this is because of the subkey
problems.  I strongly doubt that I got the hmac-md5 implementation
wrong.

>       Doing the same with plain-md5 gets me a response,
>       that shishi can't decrypt.

That would be consistent with a subkey problem: md5 is not keyed, so
which key should be used doesn't matter.

The reason heimdal handle this case (it always uses plain-md5 here) is
likely that it doesn't set a subkey.

> heimdal-kdc:
>       Version: 0.7.2 from Debian/testing
>
>       Both variants work and I can't really discover any
>       difference.

Except the subkey...

>       Both give this warning from shishi at TGS-time:
>
>       "libshishi: warning: KDC bug: Reply encrypted using wrong key."

Yup, Heimdal ignore the subkey and encrypt the response using the
ticket key.  That is wrong.

> From my limited point of view, this looks like shishi and
> heimdal are consistent to each other with the hmac-md5, but
> shishi and w2k3 do not seem to share this.
>
> This is particular confusing to me, as arcfour-hmac was
> invented by the guys at ms. So either their spec isn't
> correct or heimdal and you seem to have misread it (no
> reproach intended!).

When I read your e-mail, after considering that without subkeys
everything works, I think it makes sense.

The only remaining detail is to investigate further exactly what w2k3
does when it is given a subkey.  When plain-md5 was used, it did send
a response, but we couldn't decrypt it.  If we debug that case
further, maybe we can figure out which key it is using.

>> I have a vague memory that ARCFOUR-HMAC checksum was invented later
>> than the ARCFOUR encryption scheme.  So it may be that w2k3 doesn't
>> support it in the same way as shishi implement it.  If Heimdal doesn't
>> use it against w2k3, maybe we shouldn't either.  But that doesn't
>> really answer why things behave as they do for you below.
>
> Looking at the subkey parameter test (previous mail), I
> start to suspect, that the authenticator's checksum is
> keyed using the subkey or something.

Hm, shishi_tkt_key() tries to get two keys, but none is the subkey.

> And I further guess, that heimdal (as shishi) just ignores
> the subkey for most things.
>
> Which one is "correct according to the specs":
> You know the specs better than me.

Searching section 3.3 (TGS) for "sub", "session" or "key" make it
clear to me that subkeys are supported.  However, no other client
appear to use it for TGS, so maybe it is not tested enough.

/Simon