Fwd: [krbdev.mit.edu #4975] Checksum type 14 undefined
Kevin Coffman
kwc at citi.umich.edu
Mon Dec 4 09:21:37 EST 2006
---------- Forwarded message ----------
From: Kevin Coffman via RT <rt-comment at krbdev.mit.edu>
Date: Dec 1, 2006 6:11 PM
Subject: [krbdev.mit.edu #4975] Checksum type 14 undefined
To:
If the Windows 2003 KDC returns a pkinit reply with a checksum rather
than the insecure nonce, it uses checksum type 14. This type is defined
in RFC3961, but not in the current code. I'm assuming that
Vista/Longhorn will also use this checksum type.
If we hack the pkinit code to use checksum type 9 when we get back 14,
it works. I do not know if a simple alias of type 9 is the correct answer.
---------- End Forwarded message ----------
Looking at this closer, rfc3961 defines checksum type 9 as rsa-md5-des3
Checksum type sumtype checksum section or
value size reference
---------------------------------------------------------------------
CRC32 1 4 6.1.3
rsa-md4 2 16 6.1.2
rsa-md4-des 3 24 6.2.5
des-mac 4 16 6.2.7
des-mac-k 5 8 6.2.8
rsa-md4-des-k 6 16 6.2.6
rsa-md5 7 16 6.1.1
rsa-md5-des 8 24 6.2.4
rsa-md5-des3 9 24 ??
sha1 (unkeyed) 10 20 ??
hmac-sha1-des3-kd 12 20 6.3
hmac-sha1-des3 13 20 ??
sha1 (unkeyed) 14 20 ??
hmac-sha1-96-aes128 15 20 [KRB5-AES]
hmac-sha1-96-aes256 16 20 [KRB5-AES]
[reserved] 0x8003 ? [GSS-KRB5]
but krb5.h has 9 as CKSUMTYPE_NIST_SHA.
#define CKSUMTYPE_CRC32 0x0001
#define CKSUMTYPE_RSA_MD4 0x0002
#define CKSUMTYPE_RSA_MD4_DES 0x0003
#define CKSUMTYPE_DESCBC 0x0004
/* des-mac-k */
/* rsa-md4-des-k */
#define CKSUMTYPE_RSA_MD5 0x0007
#define CKSUMTYPE_RSA_MD5_DES 0x0008
#define CKSUMTYPE_NIST_SHA 0x0009
#define CKSUMTYPE_HMAC_SHA1_DES3 0x000c
#define CKSUMTYPE_HMAC_SHA1_96_AES128 0x000f
#define CKSUMTYPE_HMAC_SHA1_96_AES256 0x0010
#define CKSUMTYPE_HMAC_MD5_ARCFOUR -138 /*Microsoft md5 hmac cksumtype*/
Am I just confused?
Thanks,
K.C.
More information about the krbdev
mailing list