[3624] in Kerberos-V5-bugs
[krbdev.mit.edu #1248] SAM uses RC4 insecurely
daemon@ATHENA.MIT.EDU (Sam Hartman via RT)
Fri Nov 8 00:32:28 2002
Message-Id: <rt-1248-3642.3.34083668402812@krbdev.mit.edu>
In-Reply-To: <rt-1248@krbdev.mit.edu>
From: "Sam Hartman via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
To: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Fri, 8 Nov 2002 00:31:07 -0500 (EST)
Hi. The definition of dr in src/lib/crypto/combine_keys.c mishandles
the rc4 enctype. In particular, It will encrypt the constant using
rc4 directly in the long-term key. No cipher state is used for rc4,
so the rc4 PRNG is always positioned at the same point in the cipher
stream.
effectively for rc4 dr(k, c) is c^rc4(k). That's problematic
because:
dr(k,c1)^dr(k, c2)
= c1^rc4(k)^rc4(k)^c2
= c1^c2
So if you know c1, c2 and dr(k,c1) you can find out the first few bits
of rc4(k).
I have not yet worked through the implications of this for
combine-keys, but it becomes clear to me that:
* dr must be defined per crypto-system
* The current dr for rc4 is unacceptable even if combine-keys end up
being secure
* If SAM is going to use dr, it must be required to be defined for
each crypto system.
If these problems are not fixed by the 1.3 release, the SAM changes
must be backed out.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
