wrong checksum type for arcfour-hmac-md5

[Nicolas Williams]

On Thu, Sep 16, 2010 at 12:39:32PM -0400, Greg Hudson wrote:
> On Thu, 2010-09-16 at 12:21 -0400, Luke Howard wrote:
> > Here we have to balance security against interoperability. Is it
> > possible to get the third-party server fixed?
> 
> I don't think there's a security issue here; the authenticator checksum
> doesn't need to be keyed.  The question is what the fix looks like:
> 
> 1. Samba uses a proper GSSAPI checksum in its homegrown GSSAPI code.
> This is the ideal fix, but might be too difficult.
> 
> 2. Samba uses krb5_auth_con_set_req_cksumtype() to cause an MD5 checksum
> to be used when the enctype is RC4.
> 
> 3. MIT krb5 switches to using MD5 checksums with RC4 keys in
> authenticators only.
> 
> The downside of (3) is that it's extra complexity in our code base for
> the sake of an improper use case (Samba using regular AP-REQ checksums
> in a GSSAPI AP-REQ).  The upside is that it makes us consistent with
> Heimdal and MS clients.

I prefer (1) -- it's not that hard since MIT krb5 already has the
necessary hook for this, and that is how the MIT krb5 GSS mech installs
that 0x8003 "checksum".  Besides, it will give Samba's implementation of
the krb5 mech a better chance to evolve, which will probably turn out to
be necessary in the future.

(Incidentally, many, many years after RFC1964 we're still paying a
price for that 0x8003 hack.  It pays to do things cleanly.)

Nico
--