[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: arcfour: hmac-md5 vs. md5

From: Elrond
Subject: Re: arcfour: hmac-md5 vs. md5
Date: Thu, 4 May 2006 13:07:41 +0200
User-agent: Mutt/1.5.9i

On Thu, May 04, 2006 at 11:12:31AM +0200, Simon Josefsson wrote:
> Given your subkey discussion, I suspect this is because of the subkey
> problems.  I strongly doubt that I got the hmac-md5 implementation
> wrong.

At least not entirely wrong. it works without a subkey (so
it is correct for the "normal key").

> >     Doing the same with plain-md5 gets me a response,
> >     that shishi can't decrypt.
> That would be consistent with a subkey problem: md5 is not keyed, so
> which key should be used doesn't matter.
> The reason heimdal handle this case (it always uses plain-md5 here) is
> likely that it doesn't set a subkey.

Right, heimdal has no subkey in its TGS-requests.

> > heimdal-kdc:
> >     Version: 0.7.2 from Debian/testing
> >
> >     Both variants work and I can't really discover any
> >     difference.
> Except the subkey...
> >     Both give this warning from shishi at TGS-time:
> >
> >     "libshishi: warning: KDC bug: Reply encrypted using wrong key."
> Yup, Heimdal ignore the subkey and encrypt the response using the
> ticket key.  That is wrong.


> > From my limited point of view, this looks like shishi and
> > heimdal are consistent to each other with the hmac-md5, but
> > shishi and w2k3 do not seem to share this.
> >
> > This is particular confusing to me, as arcfour-hmac was
> > invented by the guys at ms. So either their spec isn't
> > correct or heimdal and you seem to have misread it (no
> > reproach intended!).
> When I read your e-mail, after considering that without subkeys
> everything works, I think it makes sense.

Right, things start to look more consistent.

> The only remaining detail is to investigate further exactly what w2k3
> does when it is given a subkey.  When plain-md5 was used, it did send
> a response, but we couldn't decrypt it.  If we debug that case
> further, maybe we can figure out which key it is using.

So your suggestion for "what next" is to use

        checksum: md5
        subkey: enabled

And see, if we get the response decrypted?

My other suggestion would be:

        checksum: hmac-md5
        subkey: enabled

and see, if we can get the checksum in the authenticator in
a way, that w2k3-kdc will like it.

what do you think?

> >> I have a vague memory that ARCFOUR-HMAC checksum was invented later
> >> than the ARCFOUR encryption scheme.  So it may be that w2k3 doesn't
> >> support it in the same way as shishi implement it.  If Heimdal doesn't
> >> use it against w2k3, maybe we shouldn't either.  But that doesn't
> >> really answer why things behave as they do for you below.
> >
> > Looking at the subkey parameter test (previous mail), I
> > start to suspect, that the authenticator's checksum is
> > keyed using the subkey or something.
> Hm, shishi_tkt_key() tries to get two keys, but none is the subkey.

What do you want to say?

> > And I further guess, that heimdal (as shishi) just ignores
> > the subkey for most things.
> >
> > Which one is "correct according to the specs":
> > You know the specs better than me.
> Searching section 3.3 (TGS) for "sub", "session" or "key" make it
> clear to me that subkeys are supported.  However, no other client
> appear to use it for TGS, so maybe it is not tested enough.

Ahhh, quite likely.

> /Simon


reply via email to

[Prev in Thread] Current Thread [Next in Thread]