Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

If the facts don't fit the theory, change the facts. -- Albert Einstein

devel / comp.protocols.kerberos / query about a possible "KRB5KEYLOGFILE" feature, to log session keys

SubjectAuthor
o query about a possible "KRB5KEYLOGFILE" feature, to log session keysRichard E. Silverman

1
query about a possible "KRB5KEYLOGFILE" feature, to log session keys

<mailman.65.1710732820.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=517&group=comp.protocols.kerberos#517

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: res...@qoxp.net (Richard E. Silverman)
Newsgroups: comp.protocols.kerberos
Subject: query about a possible "KRB5KEYLOGFILE" feature, to log session keys
Date: Sun, 17 Mar 2024 23:33:30 -0400 (EDT)
Organization: TNet Consulting
Lines: 30
Message-ID: <mailman.65.1710732820.2322.kerberos@mit.edu>
References: <08dd4568-38a3-0137-35c7-4ea43647dad6@qoxp.net>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="30045"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: MIT Kerberos <kerberos@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=hte+KOZ5;
dkim=pass (1024-bit key,
unprotected) header.d=pobox.com header.i=@pobox.com header.a=rsa-sha256
header.s=sasl header.b=wy02lJVq
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=n2osqt/TebnHhLFFG8pl5YIW6gyLIm9lgVhT5rPDHojTkv6jg2VQtepZwDGjPdla5Ex9Qe+NbUJ/TP6HwB4GgcxbXHA4g/OK5jf/81griiXvHllPzSFPbVLgN6o11L2RrgHHdpXh+g8RpNEEvghvHGovU3uAljMvPlCzAKmO/o+IsOcRnjtDQdQzOjC0Ka80TEMYUpy+Ac0jSxVbxIHcDEy8yaqRrJx/hAGJ6cs4psap+LOI/OG0s8IFzSwrJy/GAAOGNh5Kes4ufFVqEkLmBLn+XxcJBwQwenhTD4ZwF4+shaenOMuTT/ri9kP5n6/XjIMBpoHOFLlylPCI1o8FFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=rHws5xJG6gQWfSxpxb255xD95MtGBUN1y1Kek49DAGc=;
b=Ig7bZO6tSjm8aGrenPqyIHKKD5Xv4VoygZt8XD0r35jVxLAc88MkMcelBvwXbC/+jTZC4zmmF8aCjEi85bZF1JO2tNPQVFOWoYlqEFE9HqNkx8fe8b8l4iem/pp+jxUbH5rLMz4RjZp9cb1pzYGrQXTKujxafXvuYA/s3zm8iyEXqtjG3X36kcfVBAQSC3fRxdeHtoMVCY8Gs+kyROKn3tvUsd9ueDfKvlh4lbE0Mw9GYgXPRKj7dwF/ZMIGMCm3inQrussGv+8GCBGx03uXAx71a/9mvCK74oD9gxUZSU+vluUt2dzzg916Baeb/+Njg7M6nOt6FVW9CoZ6VFpjEQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
64.147.108.70) smtp.rcpttodomain=mit.edu smtp.mailfrom=qoxp.net;
dmarc=bestguesspass action=none header.from=qoxp.net; dkim=pass (signature
was verified) header.d=pobox.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=rHws5xJG6gQWfSxpxb255xD95MtGBUN1y1Kek49DAGc=;
b=hte+KOZ5HjXfi7W6zf4vRvSmg75MpnyfdnBzrn4JM0BVUuz5J2U92FO5o9d30OPIuE++67M3TY+LpvLLiBgZBkl4d0qE3J2UncUTJEMM6PmkTlNArI3gpojRgJli4QloB+Cw6KuvwI8L5Bx3X9QvsMr6cHTk8bP0uhJO8TZo22U=
Authentication-Results: spf=pass (sender IP is 64.147.108.70)
smtp.mailfrom=qoxp.net; dkim=pass (signature was verified)
header.d=pobox.com;dmarc=bestguesspass action=none header.from=qoxp.net;
Received-SPF: Pass (protection.outlook.com: domain of qoxp.net designates
64.147.108.70 as permitted sender) receiver=protection.outlook.com;
client-ip=64.147.108.70; helo=pb-smtp1.pobox.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=pobox.com; h=date:from
:to:subject:message-id:mime-version:content-type; s=sasl; bh=fvk
qAzWaId6jKBTGKa592gTR+LMo0i9xeBlh1x9gKHA=; b=wy02lJVqmIsEdt69QDC
VPy4JGenUFAEqmtgZADxsrTiaqqn5vY11CdJKmQmH1pi7iixfKG79qz5F0Y1uIrI
uxNox/lXIJr2Kg7+XiqcWIizgTLKNasqVkOFZWeZXvF7xdHnCNGoRvMwkkbIxbbh
jrwg94xEKT9ShN+P62fUURUM=
X-Pobox-Relay-ID: 4B76C3CC-E4D8-11EE-A6B7-78DCEB2EC81B-03079791!pb-smtp1.pobox.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1PEPF000044F1:EE_|DS0PR01MB7964:EE_
X-MS-Office365-Filtering-Correlation-Id: ef22bf2a-a963-415e-2b05-08dc46fc30e6
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: af9KDvko77d9yKIHvvRYfZnvMoRmpAN0zkEWgwA23pQqEtsNtfZuNeh5TB7LBgVlYqP6uAkiS1DmU30fPf3AORYcuW7cfSXxU09CM+YIDkLe1nFK68PkBaLnui0JwQDRdMC1Yc2Jy3PkVrPQ7w21TNYfyM+mQnksf3HDxY/6oS96l56qTThmu0O8j+FEzYN2ny2Am12ULwaqILctFgrjFwgUtBA+GJMH/h8GfvUVyNTTzivt7Ph3FQarkn4ipmUTqE2AfQU5n6eJNl4ruOIzY1AiTKID9E+ww0aglfyy5Tzsu7dkWSYbCrK507KFFkX+dRRw6RGnozzmQLbc5PCgGMGSN7jp7AtywWqhPNcBU57zSuMVFcmEY6Lse/p2/YG2TX9Sqb9PFodNB7W1Xuw7Bs36w5DDPBfDpg2LugnRnHupcIKRQtHaVGbFvdAEVRTKjoAMrs5K+8RqgTgc9ti0qFILUsV71LK3ezxFucmnDq8WDeTxGGJwytW0f0xiXHGjA4M/tRIymFSGadF6nyHBdjWgCtNI/Vjznaw3qMXjzjRlfgjmLId+pLw3kk5OHtJ5wTIz3LlcYdQ/c4aoobkeVF1D/bWzzqBM3Lv8DZogYr6S++36TZR9A/mmRVRkYZTKfPcdPfDIkWCgvXFdUD/FBPR9yCDHOGe2wGyrqzP3QS7yI43GChVFquXqPw7xsrt3sgb76s4VcnqHb4qRUxmcpO9ZelXaHtkndr7v8MwexDr/NwhJQqZhwzSleVz7TjID
X-Forefront-Antispam-Report: CIP:64.147.108.70; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:pb-smtp1.pobox.com; PTR:pb-smtp1.pobox.com; CAT:NONE;
SFS:(13230031)(376005)(61400799018)(48200799009); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Mar 2024 03:33:34.3517 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ef22bf2a-a963-415e-2b05-08dc46fc30e6
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF000044F1.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR01MB7964
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <08dd4568-38a3-0137-35c7-4ea43647dad6@qoxp.net>
 by: Richard E. Silverman - Mon, 18 Mar 2024 03:33 UTC

Hello,

I have a patch to libkrb5 which implements a feature similar to the SSLKEYLOGFILE environment variable that’s now in pretty wide use for TLS: it logs session keys to a keytab named by KRB5KEYLOGFILE. The main use for this, just as with the TLS version, is to decrypt packet captures with Wireshark; the latter’s KRB5 dissector takes a keytab as input.

Prior to making this patch I would just export session keys from the client ccache using a little program I wrote to do that. But there are two situations motivating KRB5KEYLOGFILE for which that method doesn’t work:

1. Newer public-key based Kerberos extensions such as PKINIT and SPAKE produce session keys which never end up in the ccache or on the wire at all, and (deliberately) cannot be derived by a passive observer; and

2. A client may not have access to the session keys in its ccache, e.g. if it’s using gssproxy.

The patch is in a primitive state right now, just a hack I keep in an MIT Kerberos build I use for debugging, or for producing sample packet captures for study. I have thought about cleaning it up to contribute it, but first wanted to check whether you’d be interested in taking it at all.

Thanks,

Richard Silverman

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor