Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Delta: The kids will love our inflatable slides. -- David Letterman

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationNico Williams

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.27.1698352265.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=403&group=comp.protocols.kerberos#403

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: nic...@cryptonector.com (Nico Williams)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Thu, 26 Oct 2023 15:30:40 -0500
Organization: TNet Consulting
Lines: 27
Message-ID: <mailman.27.1698352265.2263420.kerberos@mit.edu>
References: <ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<CALF+FNxK2mrQFg_bKnBHoZFxg9B4pKRzzV9NqP1+rm0LbWLbAQ@mail.gmail.com>
<ZTrKeZTsJOoxSkxe@ubby21> <ZTrMcEbjAX8VZsU2@ubby21>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="12668"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
To: Jeffrey Hutzelman <jhutz@cmu.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=HsH2sbgA;
dkim=pass (2048-bit key,
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=A9DbHGy2
Authentication-Results: mit.edu; dmarc=none (p=none dis=none)
header.from=cryptonector.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.16
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698352263; cv=pass;
b=PNZIFIp2lAN2cNdceZw642DQXXXc9+tl7oSNE1F5pMOSZThwPi1Nx88lyG9f2ZyrkHxwZiuM4hzn/afEWZqsrXpszRkZP7Ku1FzBRAw9LoxUqtEdxTxliiskTnQYVe+lRk5D1bInbvreJjlkldSVC/7fVvNtX9TWlCHsjNG3xjTOXvcDIMFFPnTrRcS2jkqKitGIshbZoG+i7k86gQeQhWmrB+rSylLC0lCCRNNS3y23AQlNSVB3SpLJPF2T1+FTaZzUd4WXKk6vWPo0Z2arEoX7ShgW9uZtmdRrVvyYqE0sJwijfOVZZlShHEKIYOZAPudzK/CcFwMKu3R0LrllBQ==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698352263;
c=relaxed/relaxed; bh=UfwBaEXn4FnWE2ydhLWN5rUiwfhaiOm2oAfNVZWXFN4=;
h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
b=D0kWrG0YTzmwgHuKtURwJvs33xlpCcsrSZzEsrN/QoUPW7wRnAUdRhtOVv3xxBHESt1dHNsxgaem0T3p2X5qHuDE6dFIkvEg3NjiM+eUq8mcmeT0+kAMRtz+XeWB6sX6gyVehPToLCczdkB/vcul5NkDCZSy4bijHscCgylb/oW91233SweKWtYBmtlW/QLbck0PYkL7PxMuvUD0ooy3nK6lMxR+uAr+nx9CQjOtNtF4MdJ7RdLzT2esPfiCqb+WW3MsZh3Qh4zvN31RrPLGfJ2ax7A8In9Vb+Eee9v6gsJUWUlwj1YxuSx+cTa4ZdSxmOS8VonjIhCfudZI7+/lvw==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=HsH2sbgA;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=A9DbHGy2
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=HsH2sbgA;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=A9DbHGy2
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=abHeVwIjfFYRPgCbBaQv9w1symRVoi+ULFo5Z/Uy/+aCezcxjkTxUwgj3e01JHZcvIbGU+RER3oXKCvlG9wm2iwo115t2WBduRrYAZ6UMAh9xL77VKalQ+V0kY/2IDLLpTgD/hLjBkjHr0EqJJ8KpjCvadtHXF7x6UUZKlFawAweq/ZX4k5usldwtxIydM8/J0sjPrSCzT/L5te3vx53c0wlqHr46/SLgtWDo5qC54nvG2nzxTEoxa8sI6D1MUKM9JfCTwbnbGw8EVWoebwFbYasnsxoGa2EOa5rwaQ50gpqnsQfKx8CE2badxJUHZybBYcgueeMJJY6XosGkhBbbA==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=UfwBaEXn4FnWE2ydhLWN5rUiwfhaiOm2oAfNVZWXFN4=;
b=HVSQG5ONLKYsCc0EX/6i9fWJTLlwzqZdsA2yagWbEdP7YyUMMjELoBOpnXfhYtGewm8MbDrWSAMxO1s6Qw//Bp5gXi7/3m2G6lZtlB/f4DXG9aX4SaLqmYmM/xWRbsqTMx/WhObAekUqzp//MAOppn3JAPVEbZ7SjNj9zQs7BJe1Xz2ERICVO9eY+zc/tUASUqoqnpeK3asiiaijRKz1z7teMb/gmvoGxw84a79R9s1mhSzh0Wae7ZmF9AQZ2k8VcE45D/pOmF6QHjAEwdxT6RcAW2Td9OfNeNFQLNs8+TiOdH4lOBTntZ5cIQBvFbigQDb75cF9vI7m9I2DpkcsjA==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
23.83.209.24) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=UfwBaEXn4FnWE2ydhLWN5rUiwfhaiOm2oAfNVZWXFN4=;
b=HsH2sbgAcjm5Ldu59GdkvyqohWdhw4+dHkHVcAXeCH996vXdjf3WcBaUOVBSc5/ZNXPHpp1Z/bwss0vhIQONKZ0kQf/xImGgm/8F/DK48uWht6ybQ/lgsZ4F0G8LwyiHrRfvrgTMocTaycIEFjqkP2VIc3B4z30PwWQV94QO9f8=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=Pz29OVWI6ccRgAOxr6BinQN4JV5bYG0ZJ6jLQt532FmqKZ3wmp75BhRRFj2A2aSNcKz8fzDc2PhQAJFhNOII70lBawd74E98Wor54Ho2XZ8hESQhhwkOJSbbt1U1+JkTZwc7USwHASGNehTvMxsAk51EJ1eTr5AhzSIIE5vaLYqR1Zai4838lLQT/p6hvxP1bP+5HrrhC4/pJb74gQ5mdCMl1dcnVSOryCXj8HZTCU+FamBvl8WMwdA+lrhKZXSJVGIbzllXO1BQUU5xN8E3UrrlcxxAS19slLFRl9RGFS6b8slmyAXZug4bVd1pet8UzWUZmheM+FXUfoLDocZ+0g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=UfwBaEXn4FnWE2ydhLWN5rUiwfhaiOm2oAfNVZWXFN4=;
b=Hv7Pu98/UBjt0/TSg62jdJp5Eqrj+aeZErVk8hINEx4a2Z0oDGF0YI5nqhk0TtFMxocKJFGd3cMVBNXBjB8404g7s/Iq758ct+jNzjsAlDhG+4qpp+6q2YriH5NRUaiQifgNwxbu4YJgEcnaMmGmyZO13mtysdZwk0Gjeg9JwOdBqBHMr6zTQfMKIISB3EvU1w22nKx/zeFRdTT2Q7MWoPPa/AaIhSz0l0+cdlwcyZUUYW7bbaVPLA1EwDH4XoYvRCLL42eWCOw3XFl13HF47vdZ7ManzAzMGSzG/z7WngkmpCA86NwumKrjBl4k8qxzOQr/XR4+OkyZ/muy8diFEg==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
23.83.209.24) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
Authentication-Results: spf=pass (sender IP is 23.83.209.24)
smtp.mailfrom=cryptonector.com; dkim=pass (signature was verified)
header.d=cryptonector.com;dmarc=bestguesspass action=none
header.from=cryptonector.com;
Received-SPF: Pass (protection.outlook.com: domain of cryptonector.com
designates 23.83.209.24 as permitted sender) receiver=protection.outlook.com;
client-ip=23.83.209.24; helo=buffalo.birch.relay.mailchannels.net; pr=C
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1698352244; a=rsa-sha256;
cv=none;
b=MgZxcAVnypC3ggmagQUQ3aRJY7DzCHwGLeUDJ4ynL/MuDxypulFcQQgVF/t9vb7RSz/sjX
QEHK3cPM9NpxCGkknpZd2v7arjwHfDBB2+AooyxM9ib/tYpxurDL5Q59ypg04s/ZIbNyZF
V2OeXQOjlPN9mOVeB4R2wAeV79ZTJpLXTekyZ37hvQVvv2YuF+f4JHfUr2I5P63w/pyTng
dfd3LpXnWANzB4VOvjnKvsZy+KB6Ko3Cmro5PG4jFs7Q+pJwKKDTcp0A7NJTqF5AdpuKK1
qZvwrk7ZBGCL0UJhCb/2KcpYRDET/C5F9SNtPXEnVQbp8cdmbYqrkKeTG+kfgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1698352244;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=UfwBaEXn4FnWE2ydhLWN5rUiwfhaiOm2oAfNVZWXFN4=;
b=lWpk7vxTblKSNz6Yj6DotaoFoTNlaNctQq/MhcMi99TNtopGrV2mWwJpfjFniASc+VbXYm
LvAow0uf/bWApxViH8gOCgyXq+bwvHcUF6tTmQBhoqp/mvU7l93ZYWgVxDZ0ZqvylI6Pnb
oDSIDsTEdGnlCe4y6vwPwCVFq+CWPVGqllPkH6gL/cU+l0Dw1xHr8lkcS/Py4r4jKxVkYz
DlXTXzYTvDFBHfPDM5YTu968MvR5Eiq+/Fuf3wpD0CkyOTi48Ih80M37+KXON+4ghBFAU8
BI3+C8i8vXN+A7FYwRzdEarNA+6D3UzL6vY5Fb7Tg1/JCbUCxMSh+K0M4fabIw==
ARC-Authentication-Results: i=1; rspamd-86646d89b6-wxj67;
auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Whistle-Reaction: 5148dac73e5e6dba_1698352244165_1421127733
X-MC-Loop-Signature: 1698352244165:81062576
X-MC-Ingress-Time: 1698352244165
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com;
s=dreamhost; t=1698352243;
bh=UfwBaEXn4FnWE2ydhLWN5rUiwfhaiOm2oAfNVZWXFN4=;
h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding;
b=A9DbHGy2JOeVQcHkJmIC6ldAU7g+mXz4yOyWcLXp4xqbKzoI1sqktWmB6oUo4snGf
ivdmsscIRd68g4Aidlf2F7rw5mKxr6ViHag8M4cGiPfY2ooZLOxdxOGzqQUBCsMSQf
P8TbtX57jNVhmcoRR9eBi4CZp2Ocij5UaSe7Qf1SOU/zDkxKcndN57WMngOKX7VY9c
gs4SJTNykPpUUhwYL6VDmjK82Ir4dHlOmHRndr/383U8IVZy2/cJIAIRqw0xQYtWOM
2xFjWHvXpdLDA31r2bEssDC9y2cT2YKbdKOPMUCDXKkqTaz7IPfkkVDwDksi2Cvnap
lwy9oZfE7qZqQ==
Content-Disposition: inline
In-Reply-To: <ZTrKeZTsJOoxSkxe@ubby21>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1PEPF000044F1:EE_|CYYPR01MB8565:EE_
X-MS-Office365-Filtering-Correlation-Id: c649e9e3-2354-4819-9fc1-08dbd6626e70
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: naMNay5qFqZW2sxMlPp1tV6O0no7S/0YKpseOOhJo9DE9g8jwwD/n5PZtZz+YtOtLljap0drs0zizNlH9ZIDArNxwPObr3UbP59I+mfYc/di2D3PQAW2xiWVvpH2MnPlU1TPGmYODXt9XceMQ8iR7pw1ywNbAaTMqWfoPIaI3/qdG7YLqBZBauME0jFQKB0gOO1P1SKUlQbsLPCphXUYCR2tk7tCK7N6T6bhd/uftUBIHkZXZE7WTlauN9J45JXOs5ZcbiwmNqTwlRHa5rEn7sQi9vhjcSI1QS9AiQOSkMxvrfULhGg8O8P9AvIqwMoQpPhrxR4icQG7zPzL+X0rFjsabW10y0duRG6d+gp4ZJEauXwIGfsdOVc9OdemD++iqoWRMjW0bw29peBXOJ5v6a/wE6RsAlIm8SAteHrvrDiZ8nFKPVkHho/67+BCmMPikbHGhDsG/xlCJsL9cEMnf0ntlbs4Yq4OuYBGdFfuB0n4DD/YO8+FeUQFvsBFZOmLKqM9PGcTdejXdH7bL5ysKi4R//uvIWa661l8IIqCHhCeF0L6Kc+zhIANPEwdZexTgS5fscD0JLthbvovyrq7/q8qVDbxsCtEimCgTaeXwuul11RwYFGkg0HoOEBv+jF7k6ql4PIqWRAUzLG3/hcLvrQCGEzGBG0RQIW/BoAlefj2NZyeuTorQ7nkCbR6NDUVPniw1EIjX2/+Sm5TK9jZsw==
X-Forefront-Antispam-Report: CIP:23.83.209.24; CTRY:CA; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:buffalo.birch.relay.mailchannels.net;
PTR:buffalo.birch.relay.mailchannels.net; CAT:NONE;
SFS:(13230031)(4636009)(39860400002)(346002)(376002)(136003)(396003)(61400799006)(451199024)(48200799006)(64100799003)(83380400001)(66899024)(55016003)(786003)(86362001)(9686003)(68406010)(70586007)(316002)(498600001)(5660300002)(6862004)(26005)(9576002)(8676002)(2906002)(53546011)(4326008)(956004)(7636003)(6266002)(7596003)(336012)(356005)(33716001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2023 20:30:44.9195 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c649e9e3-2354-4819-9fc1-08dbd6626e70
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF000044F1.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR01MB8565
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ZTrMcEbjAX8VZsU2@ubby21>
X-Mailman-Original-References: <ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<CALF+FNxK2mrQFg_bKnBHoZFxg9B4pKRzzV9NqP1+rm0LbWLbAQ@mail.gmail.com>
<ZTrKeZTsJOoxSkxe@ubby21>
 by: Nico Williams - Thu, 26 Oct 2023 20:30 UTC

On Thu, Oct 26, 2023 at 03:22:17PM -0500, Nico Williams wrote:
> On Thu, Oct 26, 2023 at 03:58:57PM -0400, Jeffrey Hutzelman wrote:
> > On Thu, Oct 26, 2023 at 3:41 PM Nico Williams <nico@cryptonector.com> wrote:
> > > So what can you do? Well, you could build an online kerberized CA that
> > > vends short-lived OpenSSH-style certificates, then use that for SSH.
> >
> > OpenSSH apparently does not support X.509 certificates because they believe
> > there is too much complexity. This is roughly the same problem we had with
> > getting GSS support into OpenSSH -- they are afraid of security technology
> > they didn't invent.
>
> For GSS-KEYEX they have a point: that the CNAME chasing behavior of
> Kerberos libraries is problematic. [...]

Also, they can run GSS and PKI code privsep'ed, though they'd need a way
to do that on the client side too (on OpenBSD they have pledge(2) for
that, but that's not portable).

For PKIX they could just have used Heimdal's ASN.1 compiler, and fuzz
the crap out of it (we do), and that would probably have been better
than building a new certificate system.

Though ideally we should be using memory-safe languages for all of this
and leave C in the dust. That's just a long, slow slog though.

Nico
--

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor