[krbdev.mit.edu #8974] Add new PAC_INFO_BUFFER structure for compatibility with latest MS-PAC update

Alexander Bokovoy via RT rt-comment at krbdev.mit.edu
Thu Dec 31 15:06:03 EST 2020 

Thu Dec 31 15:06:03 2020: Request 8974 was acted upon.
 Transaction: Ticket created by abokovoy at redhat.com
       Queue: krb5
     Subject: Add new PAC_INFO_BUFFER structure for compatibility with latest MS-PAC update
       Owner: Nobody
  Requestors: abokovoy at redhat.com
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8974 >


Hello,

Microsoft updated MS-PAC specification with the details of the extension
to fix CVE-2020-17049[1].

As this is yet another signature structure, it needs to be produced and
verified by the KDC, like the existing ones.

MS-PAC update change file can seen in [2]

Relevant section change is quoted below:
--------------------------------------------
2.8.3 (Added Section) Ticket Signature

The ticket signature<17> is generated by the issuing KDC and depends on the cryptographic
algorithms available to the KDC. The ulType field of the PAC_INFO_BUFFER structure (section 2.4)
corresponding to the ticket signature will contain the value 0x00000010. The SignatureType MUST
match the SignatureType in the KDC signature and the key used MUST be the same. The Key Usage
Value MUST be KERB_NON_KERB_CKSUM_SALT [17] ([MS-KILE] section 3.1.5.9). The KDC will use
KDC (krbtgt) key [RFC4120], so that other KDCs can verify this signature on receiving a PAC.

The ticket signature is used to detect tampering of tickets by parties other than the KDC. The ticket
signature SHOULD be included in tickets that are not encrypted to the krbtgt account (including the
change password service) or to a trust account.

The KDC signature is a keyed hash [RFC4757] of the ticket being issued less the PAC itself. To
compute the data to be checksummed, first the KDC must otherwise complete the TGT-REQ and
construct the final service ticket. The ad-data in the PAC’s AuthorizationData element ([RFC4120]
section 5.2.6) is replaced with a single zero byte, and the EncTicketPart ([RFC4120] section 5.3) is
encoded using the ASN.1 Distinguished Encoding Rules (DER).

The resulting hash is placed in the Signature field of the KDC's PAC_SIGNATURE_DATA structure
(section 2.8).

When a ticket is altered as during renewal ([RFC4120] section 2.3), the KDC SHOULD verify the
integrity of the existing ticket signature and then recompute the ticket signature, server signature,
and KDC signature in the PAC.
--------------------------------------------

[1] CVE resources:
CVE details:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049
Fix deployment:
https://support.microsoft.com/en-us/help/4598347/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049
Reporter's blog: https://blog.netspi.com/cve-2020-17049-kerberos-bronze-bit-overview/
[2] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PAC/%5bMS-PAC%5d-201123-diff.pdf

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

More information about the krb5-bugs mailing list