[Ietf-krb-wg] Interop issues related to TGS subkeys

ghudson@MIT.EDU Tue, 19 May 2009 23:44 UTC

Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABB543A6B88 for <ietfarch-krb-wg-archive@core3.amsl.com>; Tue, 19 May 2009 16:44:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jEcQkUmyHyCG for <ietfarch-krb-wg-archive@core3.amsl.com>; Tue, 19 May 2009 16:44:01 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id 687553A67D1 for <krb-wg-archive@lists.ietf.org>; Tue, 19 May 2009 16:44:01 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 3936E35; Tue, 19 May 2009 18:45:38 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 7C1BE80; Tue, 19 May 2009 18:45:33 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 73DDC80E02; Tue, 19 May 2009 18:45:33 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 28F5D80E01 for <ietf-krb-wg@lists.anl.gov>; Tue, 19 May 2009 18:45:31 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 088C47CC056; Tue, 19 May 2009 18:45:31 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05666-08-2; Tue, 19 May 2009 18:45:30 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id BB2497CC059 for <ietf-krb-wg@lists.anl.gov>; Tue, 19 May 2009 18:45:30 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag4CAN7hEkoSBwdQkWdsb2JhbACNegGIXXwBAQEBCQsKBxEFpxeHUYhOgkOBPwU
X-IronPort-AV: E=Sophos;i="4.41,218,1241413200"; d="scan'208";a="27181878"
Received: from biscayne-one-station.mit.edu ([18.7.7.80]) by mailgateway.anl.gov with ESMTP; 19 May 2009 18:45:13 -0500
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id n4JNjAFb015497 for <ietf-krb-wg@lists.anl.gov>; Tue, 19 May 2009 19:45:10 -0400 (EDT)
Received: from localhost (EQUAL-RITES.MIT.EDU [18.18.1.59]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id n4JNj9AT013187 for <ietf-krb-wg@lists.anl.gov>; Tue, 19 May 2009 19:45:10 -0400 (EDT)
Date: Tue, 19 May 2009 19:45:09 -0400 (EDT)
From: ghudson@MIT.EDU
Message-Id: <200905192345.n4JNj9AT013187@outgoing.mit.edu>
To: ietf-krb-wg@lists.anl.gov
X-Scanned-By: MIMEDefang 2.42
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: [Ietf-krb-wg] Interop issues related to TGS subkeys
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov

During the testing process of MIT krb5's new release, we discovered
some interoperability issues surrounding the use of subkeys with TGS
requests.  This note is primarily to save other implementors time,
although the second problem points out an omission in RFC 4120.

This list may not be exhaustive; there is a third potential problem
area which Sam and I plan to investigate over the next week or so, but
we don't yet know of a specific interoperability issue yet.  I'll
report back if we turn anything up.

1. tgs-req subkeys + RC4 keys = key usage issue

RFC 4757 specifies:

      9.  TGS-REP encrypted part (includes application session key),
          encrypted with the TGS authenticator subkey (T=8)

However, this appears to be a typo; the actual key usage value used by
AD 2003 or AD 2008 is 9.  Clients are only harmed by this issue if
they use subkeys in tgs-reqs.  My suggested workaround: KDCs should
encrypt replies to TGS requests containing subkeys with key usage 9 to
match the AD behavior; clients using subkeys in tgs-reqs should
attempt to decrypt responses with key usage 9, but on failure should
try again with key usage 8 in case they are talking to a Heimdal or
pre-1.7 MIT KDC.

2. tgs-req subkeys + keyed checkum types = checksum key ambiguity

RFC 4120 is silent about what key should be used to construct and
verify ap-req checksums, including the checksums in a tgs-req.  MIT
and Heimdal both use the TGS session key whether or not there is a
subkey in the tgs-req, but AD 2003 only accepts a checksum keyed with
the subkey if one is present.  (That's experimentally true for RC4
keys.  One can't safely use keyed checksum types with DES keys for
other reasons, so we haven't tested it.)

Experimentally, AD 2008 will accept a checksum keyed with the TGS
session key (with either AES or RC4 keytypes), so it is safe to use
keyed checksum types in combination with subkeys when the key type is
AES.  I recommend against clients using keyed checksum types with RC4
keys if the client is also using tgs-req subkeys.

(For completeness, I will note that RFC 4757 specifies:

      6.  TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
          with the TGS session key (T=6)

However, that RFC is informational and exists to document RC4 in
Kerberos, not Kerberos itself.)
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg