[16724] in Kerberos_V5_Development
RC4 Weak Key checks
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Thu Mar 24 10:33:49 2011
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: krbdev@mit.edu
Message-ID: <4D8B5641.3020103@secure-endpoints.com>
Date: Thu, 24 Mar 2011 10:33:37 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: "'krbdev@mit.edu'" <krbdev@mit.edu>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============0052994813=="
Errors-To: krbdev-bounces@mit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============0052994813==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enigB4DAF2BE0F2F087D13A26D52"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB4DAF2BE0F2F087D13A26D52
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
In k5_arcfour_init() src/lib/crypto/enc_provider/rc4.c MIT's
implementation of RC4 has a check for two families of weak keys.
Those beginning with either of the following three octet sequences:
arcfour_weakkey1[] =3D {0x00, 0x00, 0xfd};
arcfour_weakkey2[] =3D {0x03, 0xfd, 0xfc};
If a key in either of these families is detected in k5_arcfour_init(),
the error KRB5DES_WEAK_KEY is returned to the caller.
In my reading of RFC 3961 and RFC 4757 I do not come across any
indication that a weak key test should be applied when RC4 is used with
Kerberos or GSS. When used with GSS the weak key test is especially
problematic. For example, each call to gss_wrap() generates a new per
message RC4 key as each message is treated by RFC 4757 as a new RC4
keystream. The RC4 key is generated using the sequence number as input
using the following call sequence:
gss_wrap -> gss_seal -> k5glue_seal -> krb5_gss_seal -> kg_seal ->
make_seal_token_v1 -> kg_make_seq_num -> kg_arcfour_docrypt ->
k5_arcfour_docrypt -> k5_arcfour_init
An application calling gss_wrap() experiences a random behavior. When a
KRB5DES_WEAK_KEY error is returned from k5_arcfour_init(), it is never
handled and the gss_wrap() call fails. This can happen relatively
quickly or can require hundreds of thousands of messages. Regardless,
if the GSS context is used to send enough messages, the error will be
thrown.
In examining other implementations of RC4 I can find no weak key check.
I am questioning whether MIT's implementation should have one and if so
whether it should be used in conjunction with GSS.
If the weak key check is maintained, it implies that in any given GSS
context certain sequence numbers cannot be used. Since there is no
standard for how these sequence numbers should be skipped, the inclusion
of the weak key check is an interoperability problem with existing
deployed GSS implementations.
I would appreciate the feedback of the members of this list.
Jeffrey Altman
--------------enigB4DAF2BE0F2F087D13A26D52
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJNi1ZFAAoJENxm1CNJffh4GfsIAOm55BNZFYplgTjLCvrDdJBS
fK+qW4M79kWTfN0CLPsqtpoP9VSDNHG9yrf01hO3UhLLRJBA24+l8M46Pneyepc1
vP59BXV+VAlUcHlRB2W+yLfprV2pNJk4vMmJyOd59crZpjOg/QWnzdL2uxgx33G2
u1u7URZ1UCcsRECQNb7ZbQC5RESvJLEsGLVfMe/Wt7rUgI8+LPwPPNPKx/U5tssm
42zz4bDnLvVVFqTNfZUMseWFt8OJ9V9R4EO0nDCcDBxLCaYhplOSW6mTzZ7RyYW1
Y9O3lWkPc2sHTc+OnlkGJpRwwqSkcimhCxak0CbNnXqpLifBO5QLzRz8SJyKLac=
=H3rl
-----END PGP SIGNATURE-----
--------------enigB4DAF2BE0F2F087D13A26D52--
--===============0052994813==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============0052994813==--
