Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Adapt. Enjoy. Survive.


devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationNico Williams

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.34.1698359486.2263420.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=410&group=comp.protocols.kerberos#410

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: nic...@cryptonector.com (Nico Williams)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Thu, 26 Oct 2023 17:31:17 -0500
Organization: TNet Consulting
Lines: 14
Message-ID: <mailman.34.1698359486.2263420.kerberos@mit.edu>
References: <202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
<CALF+FNzM=egHeLLcqnVJpNv5kzQ7dq1sONP3Ba18Q2av-5f54w@mail.gmail.com>
<ZTrotTB6UE2wI3Ik@ubby21>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="1982"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
To: Jeffrey Hutzelman <jhutz@cmu.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=sXx0EtFb;
dkim=pass (2048-bit key,
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=U2IQcjgY
Authentication-Results: mit.edu; dmarc=none (p=none dis=none)
header.from=cryptonector.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698359485; cv=pass;
b=pWHCf0SVJzJ9AYeb9K6eG8znKv94Mdeg7E+eePXg0O5755GNFwPHN1dD/BF27qGdnuU0PYEelt9m5iOFFHYe0HN1dJSMaY4m5Iz/4WkXCOagvC6Vd5B9q21yBMBBBr+Nu7KmIbWzApwwY8KDkBwyEDuF64SYZ4w6XcuyzYDGffokqNFTBPCJlTbQ0uI8L6fHUu2Tdv06sU7YHLOgcOknVdYgq/wZv4COlH4kgL3PqiPIqZsvL5M7orzBSjmc8atk0hf4N6mti4ld9Lb0DOE2rczm3TL+RyomC/rSwFGTp2IWJlh2nTfrqOfxzyd/MiGCFF259BiYJFg3bEnJ57gtaQ==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698359485;
c=relaxed/relaxed; bh=RhF7eMDuEqZ9gMSfBGg40niX6nkctqohciA/xZ9wv5w=;
h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
b=KqmMwGvbv4Y8AH0ZJ9G1YpZO0Xor8XBAhctz5IuPJZR3PG79/Hh2AJEOKSiHJD0he9oH6JOcUVGIO1AwQFLoR/aQ2EDal4YipFcEhX8rfh6XJJ7WzJhJ2XKl0jqUtrSMqEp1xUugJh4b1k/8bpMN8/cm1hRjjh1SN3FtFetS8zCpBd8M07w3UH3eRWg4mSAL+mS7ccCjCNVgnNfloohpQ2BxERDMsj6pUEuAO/bTbP46Ghl60U2+TNVPj7eY8gN4bpcwcbi0yzXeQzypRfM6I0x2tZD76w/U4ECwM0nZdhciTBUyPz1HLAsvUTlzf8TS8lO6LSL1CvjFLqFH1PAq3Q==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=sXx0EtFb;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=U2IQcjgY
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=sXx0EtFb;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=U2IQcjgY
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=Vv3whpR6uJE35+J0YjnxswokEVrSfsRPck4NwaCUMUsopbxqABiMcyMcDPB08WWihFcJannBPSRDTUQqZtYvpn/BErXOIqZIjT7/NwoZ2jBtBeQ4cFzbXEyfeloV4Lv3hmKViigEX6tx9coVOmoEU1YmU7jirPaxV0A5KVfYH35vjjFz3fpt31hZfG37nA0QdLWn2YfYB0TWVcUZOiE44ZfahSL6CRcr7lQgHWMQrnwXYa+Fjn2qT1nN6oJlEct0DkIlf4mkxnq+gfvB56i5rGk3tKalrfik5K+XtjIK9kjglfD4ZM6yEzg+gdyk0qygFWvnNgvJEkGo0Xsp+4KSyg==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=RhF7eMDuEqZ9gMSfBGg40niX6nkctqohciA/xZ9wv5w=;
b=FUZaaHRkXjMnyR6MfNP/8TV4pr5HTiqrxl42cODwo43GdkY+7m2ZOp1hC1o3ASiV66vuIMcgoBapNjPVUik7mxTsfA/2HuZ0qT3jLqi/Go2zaR1qHU5wiBszJcv7Kis6oAu8gjHOM0znhCLiOAvCJAecUhvWfdfW3Kt788Vvw4ra05gPIuL4W+ro4ZA2ZK7nUQrTNN8Z3PCC68wB0zzB8Oi43y396262QyvOqCoAFkVJiQ8KQiZ/208pianZQ7hgTD5hrCNx1EPTfLVfEAe++0pH55pe0GEG9N5bMD0M+jh1U6hhdo1dCCmf3E10O9mYxkSPoOkJMuUktKfF0oXp7w==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
23.83.209.48) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=RhF7eMDuEqZ9gMSfBGg40niX6nkctqohciA/xZ9wv5w=;
b=sXx0EtFbWN1avuMsyndJgL7S29zbWSUfCGtyNTRc0ImaKd3+tqAtH9VGYzuxFBCzm86azXpfTT8zM9rCpElAF354JgnDlT5r/8xeZ4nZ4tEKchOgZ/824cZaTTR2nnTaBl6EmKRvSWx5IuMJWtPKC7Zh09tEiG/uZBPhMw6fWrk=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=A3MX9zpz4d3gJDsLeyzVXzo0Lh5mX2nwqff90z5peACInAWbTUk2CjQdjru7c6KYB5VkcCJJ3asJlQ0rDFZ44F919iNVdZy5W1g3Xg7/yPAqfd1lGu/sFl9fcBeb1h6oJkuRZFCifOvJpD/T8OepJRNX9g2Xq+IAakIG6jgj7Xy8copigR468lKqnr9TuZ4iudlBCpM8SA2DvwLW6zbl2rUiYTWMTmrX2ETslIo6VqqCHe1KnOhfTUOc7yn6cCrf/8MSvO/hGUkeUmo4mzxjD0kh/5TWeix0+/jh2ehEmyBHEa4MOOVEzihCkwtxU1yQWEoMDyZHVnX9GXcw4OqA/g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=RhF7eMDuEqZ9gMSfBGg40niX6nkctqohciA/xZ9wv5w=;
b=fHtd47uKLiochppojSw91ACNx0bTH97nuSOMBXjAey0VkCWJlZKOY9aPF2S8Int9GWB6+MtZXEE6fF2pyDtzw09JI4HgtDl5+Gb23dVpbnOvL4rrTX+jOjQ7eJOzR7Nnzv8QYIGz+9PSPgTonqogCtre+ln/u23/sN5mDyw7qfTNZnuqI6IuAw+ZcbpHPHj+P9iPw4zi6FC435Lcom5Xx2aCNlgK5tc8YSZ1QjtE4AhLQU6LNkd7+Gb0SbVi1t9cHRQt0G1YRu+4tiNoAkt2IH93naGDMUo7lzjuCjoYWD5I3EL+OmVDR1GBg6SoME0ZFfz+btwCK9CsiaMyLoUZUQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
23.83.209.48) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
Authentication-Results: spf=pass (sender IP is 23.83.209.48)
smtp.mailfrom=cryptonector.com; dkim=pass (signature was verified)
header.d=cryptonector.com;dmarc=bestguesspass action=none
header.from=cryptonector.com;
Received-SPF: Pass (protection.outlook.com: domain of cryptonector.com
designates 23.83.209.48 as permitted sender) receiver=protection.outlook.com;
client-ip=23.83.209.48; helo=dog.birch.relay.mailchannels.net; pr=C
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1698359480; a=rsa-sha256;
cv=none;
b=7A1PsIoYM47MCKzPeLEYuFuj3SYdr+3HVaTameQqJ84ylNlk3jOlKWZVX8qYByZHbC8rM/
spUGtwq0SkMQW1ClP6p8hodc/fF/+IlPKLntt2zfipAiQX78TAJPXJ3AVhQjAUaX6lVDwK
+gHPh3iRbOLKS4KJ8Oo0CvXNl/+vR6EivsSeAqNS+rOvL1GeBY+/adt4j2DsE6C7L3bfzS
QY+6U7tiSjAL12KgpWgteGPL3SkY0Y8bUrz59EXq6AgzVmxmjRKSXuJ1eimbGis/+wEUgl
pGBX+BVCN1Bitr/ksBunwNtZeHeFd4ypcKgABAHr4FUO2pvh1AcRMmFjmjruiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1698359480;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=RhF7eMDuEqZ9gMSfBGg40niX6nkctqohciA/xZ9wv5w=;
b=dBaxORt1ZkD7s+bbAkBcGCoRzClLGaCLT3HF2eGv+9c78sV/oFZbLoq31H5M34TOUVPP5/
JJwuaLgi2fy0Gfev1YmV0kVoCywdzAw1jq1wrRbh/Y9K3a3dKeGKXEN9a3mqw20b6YYUAX
CcjlTsrKnQ64X5lcWpwzmduHWIcBYt2FHO3dD6zSPKAcUJLgejlrGmLt/mDrkAsIrrHSwF
QsYKeS2CZgPJjs3GV7s/r04gw4qWpHsvNSonpDeJ+g1+Acuo42xnHXxs9/kVbE6532TTnA
82zL0XrPy0GtKPWYM/XAx5PyYtO1NiFXh1pGMnkUqS1vvpIUjtHzxNZWmOH9TQ==
ARC-Authentication-Results: i=1; rspamd-79d8cddc67-v8vx9;
auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Reaction-Tart: 2d82b69734f8f903_1698359480778_1692994656
X-MC-Loop-Signature: 1698359480778:2713015794
X-MC-Ingress-Time: 1698359480778
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com;
s=dreamhost; t=1698359480;
bh=RhF7eMDuEqZ9gMSfBGg40niX6nkctqohciA/xZ9wv5w=;
h=Date:From:To:Cc:Subject:Content-Type;
b=U2IQcjgYlgePbgPEkoVboqF2J1NbZzQgKqBpmGJvSPN4/obfWm6uZcS032l9yhCZL
w/qzaQd5JhogppWuUsiTU2MS1Kk8AAUSZVGPrXVZ41/pEsTGSMj9Pyd4N1dgi9P5e2
JRWhHpFVbkmGRT6gcJvAwlS3bWXR8mpv9CTl25xw4Gq2D4d8jx57bdlGGNPHRdpnq7
rbTeo5YhYT2Rr2gFx6/5l9ZtH1lDDR03D9jhaE757s3GyVeKZf/AzQzupA7Cn+dC6G
FAXm7i68iUB80V5YHh3udCml62mjnbX2drueUVQRHm5W08aayuk7NxqCbi0Wq8cJLc
GxQzwBwm00E6g==
Content-Disposition: inline
In-Reply-To: <CALF+FNzM=egHeLLcqnVJpNv5kzQ7dq1sONP3Ba18Q2av-5f54w@mail.gmail.com>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BL02EPF0001A106:EE_|DM8PR01MB7206:EE_
X-MS-Office365-Filtering-Correlation-Id: ccfb6cca-ebe5-40b9-cee9-08dbd673481a
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: FTUr9RYUsoZUDnPZw63zm83J4T4ygVMUaO5F7C7Eb6TPXlRvFYZUeNu8fSJ4gN5evp5qdGFV+T4AxHKcF+BMTt0O+/XpgFmkW8IvBgPsG9CTLX7AOMCz7ETzXx/+1X6FEC+V8ccmjT+FqeHrUxMIs+4lhNYawCJZQdPLa4aYDs5kiU2nhXyq+EMKYzDo5LRTeUPsKIGSFA+y8RSWyToYhqvXaaVWwF0dAtpsfLOcFdRmXY0L4mV4fDIkA/KLeWKKjWVt9iJ7bqobMGCj+lGtV7pWOLiWuXJf2GxKI39VjopsDmVGZytRv5NJoiLdPQHtoq4fnSliVTzrKNq/hL0dIGtflsbMg8EtmRWgDfKFruXxB60RazeKlrHtKRHDbewKdanErRY2/W3jRL4KOeXIG3QH3oXHXMNgV3/fQAsG2P8M61eGNi5B9my5WUf2C8FrPi936T6/0/wZoMohXjEexzo0rrHeZAZo520Yvn1d8BOHNxF5hVryEDgX7NC/biwePy4dhebLs6hzDgZt22IZB7RSX9fWLdHsof4jkDorGG/7ywRtleq63Kc5uH44LAOuXs3QDxdk5Q10BvoXnCRYxe3p+XRY+S+kYujBSRzuw2WPIL8o3xu4yRKlJXiCGcNHwirY1FJ6udaoAyqTkU9DSTNhKDHjvscagFicT+zUW6XmX6326GvXvrEui8D8PrK9tG+7dJ290tSJW2y4Otz1ZA==
X-Forefront-Antispam-Report: CIP:23.83.209.48; CTRY:CA; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:dog.birch.relay.mailchannels.net;
PTR:dog.birch.relay.mailchannels.net; CAT:NONE;
SFS:(13230031)(4636009)(376002)(346002)(396003)(39860400002)(136003)(64100799003)(451199024)(61400799006)(48200799006)(956004)(9686003)(55016003)(6266002)(336012)(5660300002)(7636003)(356005)(7596003)(68406010)(26005)(8676002)(6862004)(4326008)(498600001)(786003)(70586007)(316002)(33716001)(86362001)(2906002)(4744005)(83380400001)(9576002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2023 22:31:21.8606 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ccfb6cca-ebe5-40b9-cee9-08dbd673481a
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL02EPF0001A106.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR01MB7206
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ZTrotTB6UE2wI3Ik@ubby21>
X-Mailman-Original-References: <202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
<202310262157.39QLvb2C012728@hedwig.cmf.nrl.navy.mil>
<CALF+FNzM=egHeLLcqnVJpNv5kzQ7dq1sONP3Ba18Q2av-5f54w@mail.gmail.com>
 by: Nico Williams - Thu, 26 Oct 2023 22:31 UTC

On Thu, Oct 26, 2023 at 06:26:18PM -0400, Jeffrey Hutzelman wrote:
> The gss-keyex userauth method is just an optimization; it prevents you
> having to actually run the GSSAPI exchange again after you've already used
> one of the GSSAPI-based keyex methods. The real win is in the GSSAPI-based
> keyex methods themselves, which are useful (and exist) because they avoid
> having to pick one of these:
>
> [...]

All true. But you forgot the other benefit: automatic re-delegation of
credentials prior to expiration.

Nico
--

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor