[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: arcfour: hmac-md5 vs. md5
|
From: |
Elrond |
|
Subject: |
Re: arcfour: hmac-md5 vs. md5 |
|
Date: |
Thu, 4 May 2006 13:07:41 +0200 |
|
User-agent: |
Mutt/1.5.9i |
On Thu, May 04, 2006 at 11:12:31AM +0200, Simon Josefsson wrote:
[...]
> Given your subkey discussion, I suspect this is because of the subkey
> problems. I strongly doubt that I got the hmac-md5 implementation
> wrong.
At least not entirely wrong. it works without a subkey (so
it is correct for the "normal key").
> > Doing the same with plain-md5 gets me a response,
> > that shishi can't decrypt.
>
> That would be consistent with a subkey problem: md5 is not keyed, so
> which key should be used doesn't matter.
>
> The reason heimdal handle this case (it always uses plain-md5 here) is
> likely that it doesn't set a subkey.
Right, heimdal has no subkey in its TGS-requests.
> > heimdal-kdc:
> > Version: 0.7.2 from Debian/testing
> >
> > Both variants work and I can't really discover any
> > difference.
>
> Except the subkey...
>
> > Both give this warning from shishi at TGS-time:
> >
> > "libshishi: warning: KDC bug: Reply encrypted using wrong key."
>
> Yup, Heimdal ignore the subkey and encrypt the response using the
> ticket key. That is wrong.
Ahh.
> > From my limited point of view, this looks like shishi and
> > heimdal are consistent to each other with the hmac-md5, but
> > shishi and w2k3 do not seem to share this.
> >
> > This is particular confusing to me, as arcfour-hmac was
> > invented by the guys at ms. So either their spec isn't
> > correct or heimdal and you seem to have misread it (no
> > reproach intended!).
>
> When I read your e-mail, after considering that without subkeys
> everything works, I think it makes sense.
Right, things start to look more consistent.
> The only remaining detail is to investigate further exactly what w2k3
> does when it is given a subkey. When plain-md5 was used, it did send
> a response, but we couldn't decrypt it. If we debug that case
> further, maybe we can figure out which key it is using.
So your suggestion for "what next" is to use
checksum: md5
subkey: enabled
And see, if we get the response decrypted?
My other suggestion would be:
checksum: hmac-md5
subkey: enabled
and see, if we can get the checksum in the authenticator in
a way, that w2k3-kdc will like it.
what do you think?
> >> I have a vague memory that ARCFOUR-HMAC checksum was invented later
> >> than the ARCFOUR encryption scheme. So it may be that w2k3 doesn't
> >> support it in the same way as shishi implement it. If Heimdal doesn't
> >> use it against w2k3, maybe we shouldn't either. But that doesn't
> >> really answer why things behave as they do for you below.
> >
> > Looking at the subkey parameter test (previous mail), I
> > start to suspect, that the authenticator's checksum is
> > keyed using the subkey or something.
>
> Hm, shishi_tkt_key() tries to get two keys, but none is the subkey.
What do you want to say?
> > And I further guess, that heimdal (as shishi) just ignores
> > the subkey for most things.
> >
> > Which one is "correct according to the specs":
> > You know the specs better than me.
>
> Searching section 3.3 (TGS) for "sub", "session" or "key" make it
> clear to me that subkeys are supported. However, no other client
> appear to use it for TGS, so maybe it is not tested enough.
Ahhh, quite likely.
> /Simon
Elrond