Key derivation when encrypting the sequence number in gss_wrap

Joseph Harfouch harfouj at
Fri Jan 6 01:11:10 EST 2006

Hi Sam,

Thanks very much for the quick and informative reply.

The encryption type that we are using in the test case is encryption type
16 (des3-cbc-sha1-kd in RFC 3961). RFC 3961 states that key derivation for
this encryption type should be taking place, but I can only find out how
that is done in RFC 4120 (Section 7.5.1) for Kerberos with the designation
of usage values .  In that section they state that values "22-25.  Reserved
for use in the Kerberos Version 5 GSS-API mechanisms [RFC4121]." However,
RFC 4121 is for version 2 of the GSSAPI, and I cannot find an RFC that
states the values for version 1 of GSSAPI. I only find this draft document
which seems to match what every one is trying to do.

The document is

"Triple-DES Support for the Kerberos 5 GSSAPI Mechanism"

and in this document, they state the values below

"3. Key Derivation

   For purposes of key derivation, we add three new usage values to the
   list defined in [KrbRev]; one for signing messages, one for sealing
   messages, and one for encrypting sequence numbers:

   |             name                                    value          |
   |         KG_USAGE_SEAL                                22            |
   |         KG_USAGE_SIGN                                23            |
   |         KG_USAGE_SEQ                                 24            |

So, all of this matches with your recollection that there is no RFC, but a
draft document.

As I said, I am fairly new to Kerberos and GSSAPI, so I'm not sure of the
history of how things developed, but it seems that our code and your code
is very similar to this draft, that it was trying to follow it (Although, I
don't know how the draft have changed of course).

So I think the intention was to do key derivation where the encryption type
called for it (Otherwise we would not have used these usage values in the
code, if they never would have an effect), and if another implementation is
doing this correctly, we cannot ask them to change to conform to our
incorrect behavior. In other words, the fact that the document is a draft,
and not an RFC would have been more relevant if we didn't try to follow it
at all. We seem to be doing key derivation correctly for the checksum
(KG_USAGE_SIGN), but not when encryption (kG_USAGE_SEQ or KG_USAGE_SEAL).

I appreciate the reluctance to change when there is no RFC to describe the
correct behaviour, and the fact that AES migration would fix the problem.
For our mainframe implementation, we have lot of backward compatibility
issues, so we cannot rely on this change taking place rapidly. Anyway,
please let us know if a change in this area would be forthcoming or not. I
am also wondering how many other platforms have the same behavior, and
whether you received similar questions from other implementations.

Thank you very much for your assistance.

Regards, Joseph

             Sam Hartman                                                   
             <hartmans-ietf at mi                                             
   >                                                     To 
             01/06/2006 04:20          Harfouch/Australia/Contr/IBM at IBMAU  
             AM                                                         cc 
                                       krbdev at                      
                                       Re: Key derivation when encrypting  
                                       the sequence number in gss_wrap     

>>>>> "Joseph" == Joseph Harfouch <harfouj at> writes:

    Joseph> We recently had a problem interoperating with a JAVA
    Joseph> implementation of Kerberos/gss. The problem is that JAVA
    Joseph> seems to be doing a key derivation when encrypting the
    Joseph> sequence number in gss_wrap (Which I think is the correct
    Joseph> behavior for encryption type ENCTYPE_DES3_CBC_SHA1), and

What leads you to believe this is the correct behavior?
I.E. what spec are you trying to follow?

    Joseph>     Joseph> we don't.  However, we seem to interoperate
correctly with
    Joseph> you which seems to suggest that you have the same behavior
    Joseph> as us (Which we believe to be faulty).

    Joseph> The code in kg_encrypt suggests that you are trying to do
    Joseph> key derivation using KG_USAGE_SEQ , but since the
    Joseph> encryption of ctx->seq has been modified earlier to
    Joseph> ENCTYPE_DES3_CBC_RAW in krb5_gss_accept_sec_context, and
    Joseph> that encryption type does not perform key derivation, no
    Joseph> derivation is performed, and changing the USAGE value in
    Joseph> the kg_encrypt call in kg_make_seq_num (The file is
    Joseph> util_seqnum.c) has no effect.

I believe your understanding is correct.  This was a bug in our 3des
GSSAPI implementation, but we ended up shipping with this behavior and
since no spec was ever written that's how it works.

    Joseph> We are still in the early stages of investigating the
    Joseph> problem, but we are concerned that any fix we do, does not
    Joseph> break interoperability with you, but we want to correctly
    Joseph> follow the RFC of course. Could you please give us your
    Joseph> opinion/analysis of this.

I'm not aware of any RFC (or plan to write an RFC) describing 3DES
GSSAPI.  There was an internet draft at one point, but I seem to
recall that draft not actually describing what was done.  I think the
sequence number may well be the major problem with the draft.

I'm not opposed to writing a document describing 3DES GSSAPI.  I agree
it would be useful.  However I just don't know anyone who has agreed
to do the work.

Long term we hope RFC 4121 will make this sort of problem unnecessary
as everyone migrates to AES.

More information about the krbdev mailing list