[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TGS revisited
From: |
Elrond |
Subject: |
Re: TGS revisited |
Date: |
Wed, 26 Apr 2006 00:56:30 +0200 |
User-agent: |
Mutt/1.5.9i |
On Tue, Apr 25, 2006 at 11:36:23PM +0200, Simon Josefsson wrote:
[...]
> > 2) shishi has a sub-key and sequence number in the TGS-REQ.
> > heimdal doesn't. (no idea, if that is good or not.)
>
> These are likely next candidates, although they shouldn't cause
> problems. However, Heimdal handle TGS-REQ with subkey's incorrectly,
> so it isn't unlikely that w3k3 does something even worse.
Oh well...
> The seq-number shouldn't cause problems, but we could try removing it,
> it really shouldn't be there.
So according to the specs, those parts should not be there?
> > 3) I'm starting to get the feeling, that something on my
> > box is somewhat mixed up.
>
> I'm not so sure -- let's try to make the ASN.1 packets as similar as
> possible first, to rule out any of those problems. We have three
> items above to deal with first.
Okay.
> > a) If I find the time, I will compile it on another box
> > with access to the w2k3-kdc.
> > b) Do I have a realistic chance to verify checksums by
> > "hand"? Setting it to md5 in crypto-rc4 would be my
> > first step, so that I would "only" need to run md5 on
> > some parts of the packet.
>
> Shouldn't be too hard, the checksum is computed over the DER encoding
> of the req-body in the KDC-REQ.
So that should be just md5 of the rest of the packet after
the authenticator?
And it should be all unencrypted, of what I need to take
the md5? That's nice, cause it should be simple to do with
any packet capturing tool.
(my idea is to get out of shishi itself, so I am sure, that
shishi does stuff the way it is supposed to be done.)
> There is a XXX nit in
> shishi_ap_set_tktoptionsasn1usage() which you could watch out for.
That memmove looks interesting there...
Is that to skip the asn1-tag and length?
What if the encoded length is more than 128byte?
(I'm just talking useless crap. You're fully free to ignore
the last few lines. ;) )
> > What next?
>
> I'll try to fix the name-type issue first.
Okay, waiting for your "go". :)
> Thanks,
> Simon
Elrond
>
>
> _______________________________________________
> Help-shishi mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/help-shishi
- TGS revisited, Elrond, 2006/04/23
- Re: TGS revisited, Simon Josefsson, 2006/04/25
- Re: TGS revisited, Elrond, 2006/04/25
- Re: TGS revisited, Elrond, 2006/04/25
- Re: TGS revisited, Simon Josefsson, 2006/04/25
- Re: TGS revisited,
Elrond <=
- Re: TGS revisited, Simon Josefsson, 2006/04/26
- Re: TGS revisited, Elrond, 2006/04/26
- Re: TGS revisited, Simon Josefsson, 2006/04/27
- Re: TGS revisited, Elrond, 2006/04/27
- Re: TGS revisited, Simon Josefsson, 2006/04/27
- Re: TGS revisited, Elrond, 2006/04/27
- Re: TGS revisited, Simon Josefsson, 2006/04/27
- Re: TGS revisited, Elrond, 2006/04/27
- Re: TGS revisited, Elrond, 2006/04/27
- Re: TGS revisited, Simon Josefsson, 2006/04/27