[krbdev.mit.edu #1248] SAM uses RC4 insecurely
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Fri Nov 8 00:31:07 EST 2002
Hi. The definition of dr in src/lib/crypto/combine_keys.c mishandles
the rc4 enctype. In particular, It will encrypt the constant using
rc4 directly in the long-term key. No cipher state is used for rc4,
so the rc4 PRNG is always positioned at the same point in the cipher
stream.
effectively for rc4 dr(k, c) is c^rc4(k). That's problematic
because:
dr(k,c1)^dr(k, c2)
= c1^rc4(k)^rc4(k)^c2
= c1^c2
So if you know c1, c2 and dr(k,c1) you can find out the first few bits
of rc4(k).
I have not yet worked through the implications of this for
combine-keys, but it becomes clear to me that:
* dr must be defined per crypto-system
* The current dr for rc4 is unacceptable even if combine-keys end up
being secure
* If SAM is going to use dr, it must be required to be defined for
each crypto system.
If these problems are not fixed by the 1.3 release, the SAM changes
must be backed out.
More information about the krb5-bugs
mailing list