Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"All language designers are arrogant. Goes with the territory..." (By Larry Wall)


devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationKen Hornstein

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.23.1698345607.2263420.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=399&group=comp.protocols.kerberos#399

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!news.nntp4.net!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Thu, 26 Oct 2023 14:38:47 -0400
Organization: TNet Consulting
Lines: 19
Message-ID: <mailman.23.1698345607.2263420.kerberos@mit.edu>
References: <202310241950.39OJoa0Z000708@hedwig.cmf.nrl.navy.mil>
<3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu> <ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="24237"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=C5DyUP3T;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=OunITvSz
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698345604; cv=pass;
b=jGyo0l+25ue0iOonVM7hr6RZJbS5FGuSoHGjlCAcMY4gfEIi9vKOOcecRxprYytxlf02BDFqJThtubqutosVhX7BQ8dWAeCZZgKAN9pctGStpq2SEnpFn71gckup/wDOPABvrAWp8iHrIdMPAJlS8r6SBHzLxqJEr6AnqRRzYWPLFHd6Tvp8Qg+5MRKcXaW0sSyWXFH94RC78IvA75G7ZfuCYEJmWXR/+NcJu7B0d/dumiZhqiunApq9XaM/mUz7alsV2TMQI/vKqviOYe2trOs1ZuzAfVNFZw59yDJ7RKD7jHSXj98YuzesOLI3c2YOKhETgrjuyULFe6IgIeT8kA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1698345604;
c=relaxed/relaxed; bh=otrwjlFufSM9EC+FfHF9oMjp7X/w9DXIcPymHoqpVyk=;
h=Message-ID:From:Subject:MIME-Version:Content-Type:Date;
b=fYQIWFsX5hb8OBxlPe9uqTBv81RlaIQBgDYpeWV+5BxliYveoyp0EsD1a9gDyBhNDf7EzkSkTL/xjuALh9aIi/n9+CYCM1wmsTFFh7PW8AgMfFACecCisVb+C5X2zf1WK9plo4QmSoSDHO9UHIaCtJtsf9u8LVK0u+1ZhrUZhlCA7I7Kc3N7oMzzjCtxCu7XeTo7FUqizCUn4QE4EMZyXqxDp9uQ9xHd3B8FiQm+sAVwQ61q8kPU6rD3jdH86JH1ZhP7XzHQf4s/KMWIZTDsDnRpRSFvVuCUS2UGowV7ln/5gm+TXBJoPtQmsoh2jQrV1hNLCrs3VDkHbUJxojiAmg==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=C5DyUP3T;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=OunITvSz
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=C5DyUP3T;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=OunITvSz
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=CJ2n6obnUfIyX8kIyJk9zzvbUlgtGIqosdWvnH1ZBbRX6T9YppAmkE8Q4R1nbl9gGlbxNP+ddhnDZ+BFqs/WVDMd6cbWknwsu0fsil82A39Qlm2b85VwERPF9plF8WpnVcbiz0nmiAGPmh3KUlJ96Z3AOGe3kjD6jlERDD6FchO9mgYezYDKo7zG/7dm/BQ1YEVvfuma5KUSulhbnJLXH8hmfjkLvx/5wsDmD4yfmcJiG5FcyMd8lsLEKG2w3GLp98/2oD7EFOe2jQlYyLQTxwdTyAw2qdqgizxwlPm/F7IoCxYpVjpJmduBNEHnqs9OaPLpbl+S7lW7ihmY6LRBdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=otrwjlFufSM9EC+FfHF9oMjp7X/w9DXIcPymHoqpVyk=;
b=M99UEbEO9UUdctbyXiXAKHnwQU9maNPydWyRvMtaBfzyVoXvlwWL0bmmqEsFgRSutn+tDP8s343UGdPB3yjRq8BH1FlcgQYNBX9RKxAYKRToCUAk9lFmjzTf/p9to8MlfmFp8bOrFnt8PCxRmwWuiTKLg2KK+AWhaWvTq/qK7ET4DXR8QtB4ojaWvi58Q6KRaauMBZJjvqp9fIkH8DPDIPNNDSA7PyNCSNI/9zxsL8SL8U0vhMCJNPr3v+qPvQEOgWUb8miisP4OeoFFA4y7m0WKKQ7D1iBBUxjOcgSEjMGht26+jyLyYmiFW6jzP5sAUYUuOdaOmppv3is9DPVqtQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=otrwjlFufSM9EC+FfHF9oMjp7X/w9DXIcPymHoqpVyk=;
b=C5DyUP3TxBgC5PZFLMc2m70BGURbAQaljkDGRFa7jzbOnsU2DfYAUrwYBOiZgKh2D1zdLFI/Tg1p4rfnGQZflq28i4XyKDcQhVthx6+OGwlDzwPXJKzi7l66CIeBcMT5M97PWh3Fy21JPC5bFliAZAhbQ3fng8DJw6MXJc/oUWc=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : subject : in-reply-to : references : mime-version : content-type :
date; s=s2.dkim; bh=otrwjlFufSM9EC+FfHF9oMjp7X/w9DXIcPymHoqpVyk=;
b=OunITvSzZTyOSa93v5S8cy7Zh/QXt18px4js82+Va67/lp6L6NGANWiIdRb91l/Htc+K
v5d4LYw3+ZQPY8oHWmxZDhZSJrJmmRZi2bgih6wIbKOyvYQhQ8CizkU5NW9FhOB/bfMn
lCCYWwZwr1y4EU1KZGrXzkEN/E4jiPQl+DubFbKSWhzghuQr+u633BDBBxx/8/XorNWr
fCq6y38qU1O44vhU5GJRC0D39Xi4FmC3MBfG6IbdglSJJToaHSsgWQVldAgMi998bDzj
2GLNJHkog7KcKdDRXJS+HaG9BgLfTFlT9NLwQIeW57SYwe0pdPL1gpxn6y2Skvpf45Mk 7g==
In-Reply-To: <ZTqw9+Etcwo8SqR4@ubby21>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL02EPF0001A0FF:EE_|SA0PR01MB6443:EE_
X-MS-Office365-Filtering-Correlation-Id: dc9a799a-78e5-4e43-9b8e-08dbd652ce7c
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: YvuSTx42axpEeBJfIS+wAdHtn780ZSwHRyg7oNiEng3Yhp317lm9nKzjM1HDCMAkpxKUP0+9Mo+ig+VeB3+uHJhJyY1s2YlS+meyZ465SpmhjAU2ilalQRK02SPmgR9mGNep/WXkYW3OtdMR/oGipp7e6qSgVbapcxv73iTfT1cW+cmuT6Wj6ubr6rlE+1iqR4c5q48B7magDyFk3As2WzDCCPmLsCfYPBdbiOtFyc1lIjoLypehTYMkceHxTQlIfEuGhFi9kUcz3Zg7g/4V9cJKHIeO33tCmIG9C18DR66x1HEHUEgriBGUaJqzNjTQshL5M7GdZGbpIUK2HXc1s/na5aVwH8Z+ypvE8PGq7oQ9FF4nlo0CG/Knhfg9HMduzZ/lPjom0NYnb24l9yMNZSmGxOwY69VUnkH/7CS/x7uw+wJMEKl0L24xSIxDDYfSrHHxtja4UhgeTmqyl6q1TEbkTymTgLFCEH8Ct2UIg18fTCOBhSqC3jLPpp2dRZEHIUVv15u4Z41P4N2AEKXMj3CG2fvJX7M2nRkWDyUio2HkNqswuwsftUrmI+gMy/X7g8ZI/TdgzK4agtZEngMSlqdA4YUmrhgY5akLCrde8H1y9YetIkTV6wwi1XPMu1gDq2+BaT6pDXgWY/3Q2LWdhNp4iS1D+nKEhWj/BY7wIUZqcS+p32WrNbfHraxGKt6GHLpUJNoq+4rzKK5lsEkpHg==
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230031)(4636009)(136003)(346002)(39860400002)(376002)(396003)(451199024)(61400799006)(64100799003)(48200799006)(34206002)(498600001)(68406010)(70586007)(8676002)(2906002)(316002)(786003)(86362001)(5660300002)(356005)(7636003)(426003)(26005)(336012)(956004)(83380400001)(1076003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2023 18:38:54.0492 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: dc9a799a-78e5-4e43-9b8e-08dbd652ce7c
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL02EPF0001A0FF.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR01MB6443
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <202310241950.39OJoa0Z000708@hedwig.cmf.nrl.navy.mil>
<3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu> <ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
 by: Ken Hornstein - Thu, 26 Oct 2023 18:38 UTC

>> Ever hear the political adage, "If you're explaining yourself, you're
>> losing"?. The same adage applies when talking to security people,
>> especially the non-technical ones. The common gss-keyex code out there
>> calls the OpenSSL MD5 function at runtime, and some of the distributions
>> that do ship the gss-keyex code (RedHat) decided to simply disable
>> gss-keyex code when FIPS is turned on. So yes, you CAN hardcode the
>> OID->name mappings, but it seems that nobody actually does that.
>
>We accept PRs.

I am SO many levels down from the people that manage the licenses that
figuring out how to file a PR upwards through the various levels of the
DoD would probably take me a few days (I don't have to convince RedHat
there's a problem, I have to convince those gatekeepers that there's
a problem first, that's where things go sideways). And those people are
the kind of people that as soon as the hear "MD5" and "FIPS mode" in
the same sentence, they're going to say, "THAT'S NOT ALLOWED".

--Ken

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor