PRF for des3-cbc-hmac-sha1-kd

Srinivas Cheruku srinivas.cheruku at gmail.com
Fri Apr 3 00:13:10 EDT 2009 

For me, your changes look good.

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of Yukiyo Akisada
Sent: 01 April 2009 13:46
To: kerberos at mit.edu
Subject: PRF for des3-cbc-hmac-sha1-kd

Hi, all.

I may misunderstand RFC 3961,
but in my understanding, des3-cbc-hmac-sha1-kd (etype=16) uses
PRF on Simplified Profile as its pseudo-random function.

Now, I want to use PRF function
from Krb5-1.8 perl module which is based on MIT krb5-1.6.3 implementation.

    Krb5: <http://search.cpan.org/dist/Krb5/>

But, PRF function for ENCTYPE_DES3_CBC_SHA1 has not be
defined in <krb5-1.6.3/src/lib/crypto/etypes.c>.

Indeed,
I need some modification into Krb5-1.8 to export prf function from
krb5-1.6.3,
but I also need the following modification into krb5-1.6.3.

In this moment,
the following modification matches with my expected behavior,
but I'm not sure whether this modification against krb5-1.6.3 is correct or
not.

Do you have any idea about this?

    --- krb5-1.6.3/src/lib/crypto/etypes.c.orig 2009-04-01
17:02:56.000000000 +0900
    +++ krb5-1.6.3/src/lib/crypto/etypes.c  2009-04-01 14:42:01.000000000
+0900
    @@ -94,26 +94,26 @@
         { ENCTYPE_DES3_CBC_SHA1,
           "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
           &krb5int_enc_des3, &krb5int_hash_sha1,
    -      8,
    +      16,
           krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
           krb5int_dk_string_to_key,
    -      NULL, /*PRF*/
    +      krb5int_dk_prf, /*PRF*/
           CKSUMTYPE_HMAC_SHA1_DES3 },
         { ENCTYPE_DES3_CBC_SHA1,   /* alias */
           "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
           &krb5int_enc_des3, &krb5int_hash_sha1,
    -      8,
    +      16,
           krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
           krb5int_dk_string_to_key,
    -      NULL, /*PRF*/
    +      krb5int_dk_prf, /*PRF*/
           CKSUMTYPE_HMAC_SHA1_DES3 },
         { ENCTYPE_DES3_CBC_SHA1,   /* alias */
           "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
           &krb5int_enc_des3, &krb5int_hash_sha1,
    -      8,
    +      16,
           krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
           krb5int_dk_string_to_key,
    -      NULL, /*PRF*/
    +      krb5int_dk_prf, /*PRF*/
           CKSUMTYPE_HMAC_SHA1_DES3 },

         { ENCTYPE_DES_HMAC_SHA1,

Regards,


-- 
Yukiyo Akisada <akisada at tahi.org>
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list