[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: arcfour: hmac-md5 vs. md5
Re: arcfour: hmac-md5 vs. md5
Thu, 4 May 2006 13:07:41 +0200
On Thu, May 04, 2006 at 11:12:31AM +0200, Simon Josefsson wrote:
> Given your subkey discussion, I suspect this is because of the subkey
> problems. I strongly doubt that I got the hmac-md5 implementation
At least not entirely wrong. it works without a subkey (so
it is correct for the "normal key").
> > Doing the same with plain-md5 gets me a response,
> > that shishi can't decrypt.
> That would be consistent with a subkey problem: md5 is not keyed, so
> which key should be used doesn't matter.
> The reason heimdal handle this case (it always uses plain-md5 here) is
> likely that it doesn't set a subkey.
Right, heimdal has no subkey in its TGS-requests.
> > heimdal-kdc:
> > Version: 0.7.2 from Debian/testing
> > Both variants work and I can't really discover any
> > difference.
> Except the subkey...
> > Both give this warning from shishi at TGS-time:
> > "libshishi: warning: KDC bug: Reply encrypted using wrong key."
> Yup, Heimdal ignore the subkey and encrypt the response using the
> ticket key. That is wrong.
> > From my limited point of view, this looks like shishi and
> > heimdal are consistent to each other with the hmac-md5, but
> > shishi and w2k3 do not seem to share this.
> > This is particular confusing to me, as arcfour-hmac was
> > invented by the guys at ms. So either their spec isn't
> > correct or heimdal and you seem to have misread it (no
> > reproach intended!).
> When I read your e-mail, after considering that without subkeys
> everything works, I think it makes sense.
Right, things start to look more consistent.
> The only remaining detail is to investigate further exactly what w2k3
> does when it is given a subkey. When plain-md5 was used, it did send
> a response, but we couldn't decrypt it. If we debug that case
> further, maybe we can figure out which key it is using.
So your suggestion for "what next" is to use
And see, if we get the response decrypted?
My other suggestion would be:
and see, if we can get the checksum in the authenticator in
a way, that w2k3-kdc will like it.
what do you think?
> >> I have a vague memory that ARCFOUR-HMAC checksum was invented later
> >> than the ARCFOUR encryption scheme. So it may be that w2k3 doesn't
> >> support it in the same way as shishi implement it. If Heimdal doesn't
> >> use it against w2k3, maybe we shouldn't either. But that doesn't
> >> really answer why things behave as they do for you below.
> > Looking at the subkey parameter test (previous mail), I
> > start to suspect, that the authenticator's checksum is
> > keyed using the subkey or something.
> Hm, shishi_tkt_key() tries to get two keys, but none is the subkey.
What do you want to say?
> > And I further guess, that heimdal (as shishi) just ignores
> > the subkey for most things.
> > Which one is "correct according to the specs":
> > You know the specs better than me.
> Searching section 3.3 (TGS) for "sub", "session" or "key" make it
> clear to me that subkeys are supported. However, no other client
> appear to use it for TGS, so maybe it is not tested enough.
Ahhh, quite likely.