Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Life, loathe it or ignore it, you can't like it." -- Marvin the paranoid android

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationKen Hornstein

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.12.1698194201.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=388&group=comp.protocols.kerberos#388

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Tue, 24 Oct 2023 20:36:31 -0400
Organization: TNet Consulting
Lines: 22
Message-ID: <mailman.12.1698194201.2263420.kerberos@mit.edu>
References: <202310241950.39OJoa0Z000708@hedwig.cmf.nrl.navy.mil>
<3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
<202310250036.39P0aVZr017365@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="30060"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=NNGbeMrPpCgr4EIyIn60q9zjzbxwRvUwct5fjjpNa/v7BZKyhwjq43jud6G+YZqDhX++hYlG3mGm2WS+OlQzA1Br4Xj3XYF9ccaQbcVGvUvdHZ3wJih5atwe2VAogRKa0MMXLz3y0J4+2mdeobvYtH3Z73geSdjaki2LpYmGHx28v7oXHuO08Y0MY3LP2CGQkDatn9OTITLteXGdSLxl1Qi0oYf4MIgSKVSc8N3j+JUVcCludqBN9ZgdzyLv8D0d31Ps35iJpspcTFJX5ioWWbV/b4xBetNhM0PNbWizKm59AqwGXLo6pN2QIeK6WzAbB8lFYUCVmTP+HXbQl4TuQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=8VWCHBXn6MD/cFnlQLD7pB/gxqAiRz0x2rEAD8VndK0=;
b=HcKUHGAGWtlsyIAZrKqHIkM+nxhfUL3jLHL/zVe9EOWhXrAQlQ/laU8gh48t9XatuguxNuAnO3un3keCv3X7JD4PeIFqCnlF1XEyGRbXCLeoPRH4cl7Dg2pLHO0rJ1ncWB+7EBZwd0WCk3b/ZTgC2Tz5owhiwh8QgbxORE4KohOb+HJZGgVN+H99X0+l6BjEZHVBiBtUK9WKGAJm9MJB7F34l7jvaMXjT6v2pgxGJTZrfGAP4KpGgUWGhNZzQ0uS6YJjFksLDpm63aMxA/5j4ZzhTdVz64mc5v8dClW4ezgaaNx/R89E/scRaHHmvyIBH6O/KLisUcc2XcVudLnUOw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=8VWCHBXn6MD/cFnlQLD7pB/gxqAiRz0x2rEAD8VndK0=;
b=ELj4iaqK+y3Jss3NcXSRSx+IniDTQlV0YapT3jOILyTUMkHm7rD9p2CQLRUYhMq2PM0YdaPWKdN8SUn0CrmK0R+dKD6YcsA5ybbFWCZHS63X9h3RkpFWEZUlTlDRogJhUF9Ks0g7OU/+eXPnMDlg3stQmJIZlDVe7p6WsQ7PCZ0=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : subject : in-reply-to : references : mime-version : content-type :
date; s=s2.dkim; bh=8VWCHBXn6MD/cFnlQLD7pB/gxqAiRz0x2rEAD8VndK0=;
b=B85YNJZh+XfOTL5r8eALTxTfd67m6wKc2YhjsHO41Xi8EwyXS5b/m9n+G2UzjhvLGubZ
sv4UHqNRBEUPMcmbXrJ7GHpODEiO0FNXfU3GMFYDoyJ2YRyK23ofvcyhywnBr8dB3ZJg
k34Vv4Jg0DGzsce8ddTM49XmXoio4Gb+5pEHeAVjek7kAXmj/cWWBkL7ijciFfKZz6Ud
qWy0/zSjP2Dop9cAMUwcL3U+bphpS7jOxL1kvka3cGa3J4dUV9DjebkLoY45PXPOpbHr
mP3I6pezB1u5eFjsAx6WdRZCxP8DAdUmJLdA0H67PoHraUSEvElQNe/fsQX00pF1DjaN pA==
In-Reply-To: <3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS3PEPF000099D3:EE_|BL1PR01MB7721:EE_
X-MS-Office365-Filtering-Correlation-Id: 9b1787ef-9c28-4de2-aded-08dbd4f27043
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 7XBKLaPWFqkiLsfR4gJDDxjB6l+1iiddae2ZonCBu/PcMQrgNP7di2WpCpHxTTBtCP5rd3y5PRKFvtyDHQlOYhFlikpwQAGpn/itlbCXKpew2NH1LqvMHjYvrszKKROKEvQ3QwhN4H5flCms6o5v2u0y349vfDFePdD6dCpTodTLETDOwQVWc2TqNjQt1jvwoWHCvZfbVYZHp/FNjDWLYN5BkFIhMkJnQGlvR7GhK6TLglfZJsL7IZxz8ddG55KvQfVUk58l9zq3/MuSim5i30jBn9I/vwZheYGxTixIOT9ndqlhjn1TYjJyxz4ksFHXPTdtrV7zh8bA2O0WzjkPTo+ZBdu23nccuCydpWliiGfRoTy0giTehi8ZmWec4qUqtqYvdfkrJkmFEbAMx4ySY4ceW4OJlzrDj2/N5TK+zRQ8wMcEluvek8EgzzWOKUN/PxLRp8zYcfPn2a7dupd5a/VdSbQ4RTPWLLz7wrtixmoKrKPKRAzcUhh3ojx0vW4Bl/9SUfC79TLgg3+YunMaPupHIBUgqbhlG4AW7BVVxOoZRz9cU19+06SlqvOeXBcmWzYvQ1P6nlXkRmn5FlKNFp/lkf/o774EbH4v9q7fmPO0/9bGZfUdCB92J0zwU83OAXkhs0vm3GLjuhFyAnEWY+NIUT4gnlXF38On8SauEm443PS1iQZrpv4KUFypACUj7LcFWuhwdJ1cMD4pCVHeFw==
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230031)(4636009)(136003)(39860400002)(376002)(396003)(346002)(64100799003)(451199024)(48200799006)(61400799006)(34206002)(8676002)(86362001)(26005)(786003)(70586007)(68406010)(1076003)(316002)(498600001)(7636003)(356005)(956004)(336012)(426003)(83380400001)(5660300002)(2906002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Oct 2023 00:36:33.1683 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9b1787ef-9c28-4de2-aded-08dbd4f27043
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS3PEPF000099D3.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR01MB7721
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202310250036.39P0aVZr017365@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <202310241950.39OJoa0Z000708@hedwig.cmf.nrl.navy.mil>
<3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
 by: Ken Hornstein - Wed, 25 Oct 2023 00:36 UTC

>Whether the initiator can generate per-message tokens before receiving
>the subkey depends on whether the mechanism returned the prot_ready
>state (RFC 2743 section 1.2.7) to the caller after generating the
>initiator token. RFC 4121 does not mention prot_ready; I couldn't say
>whether that's an implicit contraindication on setting the bit. I'm not
>aware of any krb5 mechs setting the bit at that point in the initiator,
>although I recall Nico talking about maybe wanting to do so.

Fair enough; every time I think I might understand the GSSAPI, there
is always something else in that mess. I don't think given subkey
negotiation it would be possible for a krb5 mechanism to legitimately
set prot_ready before authentication was complete, but it sure seems
like this is a corner case. Certainly it seems like Heimdal always
assumes that the other end will behave that way.

>The comment was written twenty years ago by a developer no longer
>working for MIT, and I don't recall having any conversations about it
>before this one.

NOW I feel old :-/

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor