[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sam Hartman <hartmans@debian.org>] Re: Interoperability betweenMIT and Heimdal wrt to MIC verification?

To: heimdal-discuss@sics.se
Subject: [Sam Hartman <hartmans@debian.org>] Re: Interoperability betweenMIT and Heimdal wrt to MIC verification?
From: Sam Hartman <hartmans@MIT.EDU>
Date: Wed, 06 Nov 2002 18:46:47 -0500
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/21.2(i386-debian-linux-gnu)

Hi.  There has been a bit of discussion on krbdev@mit.edu about a bug
reported by Olaf Kirch <okir@suse.de> in Heimdal's handling of get_mic
for the 3des GSSAPI support.

Some MIT users were running into the problem and we wanted to look at
whether we could add compatibility.  We decided against.

To: Andreas Hasenack <andreas@conectiva.com.br>, krbdev@mit.edu

Subject: Re: Interoperability between MIT and Heimdal wrt to MICverification?

From: Sam Hartman <hartmans@debian.org>

Date: Wed, 06 Nov 2002 18:05:25 -0500

Cc: Olaf Kirch <okir@suse.de>,Graeme Mathieson <mathie+debian-kerberos@wossname.org.uk>,debian-kerberos@mekinok.com

In-Reply-To: <tslsmyea9u3.fsf@konishi-polis.mit.edu> (Sam Hartman's messageof "Wed, 06 Nov 2002 12:26:12 -0500")

List-Archive: <http://mailman.mit.edu/pipermail/krbdev/>

List-Help: <mailto:krbdev-request@mit.edu?subject=help>

List-Id: Kerberos Developers Mailing List <krbdev.mit.edu>

List-Post: <mailto:krbdev@mit.edu>

List-Subscribe: <http://mailman.mit.edu/mailman/listinfo/krbdev>,<mailto:krbdev-request@mit.edu?subject=subscribe>

List-Unsubscribe: <http://mailman.mit.edu/mailman/listinfo/krbdev>,<mailto:krbdev-request@mit.edu?subject=unsubscribe>

References: <20021104183558.GQ23530@conectiva.com.br><20021105101830.C29673@suse.de><tsl3cqf63qb.fsf@konishi-polis.mit.edu><20021106123039.GB8724@conectiva.com.br><tslsmyea9u3.fsf@konishi-polis.mit.edu>

Sender: krbdev-admin@MIT.EDU

User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/21.2(i386-debian-linux-gnu)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



I've looked at the patch supplied and apparently what is happening is
that Heimdal does not use an IV for the sequence number in 3des MICs.

Unfortunately, the IV is part of the security of an RFC 1964 GSSAPI
mechanism's sequence number.  The IV binds the sequence number to the
packet checksum to prevent an attacker from glueing a sequence number
from one packet into another.  Without this binding, GSSAPI's replay
detection is broken.

As such, The MIT Kerberos Team has decided not to implement
compatibility in our gss_verify_mic with the current Heimdal
behavior.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQE9yaAo/I12czyGJg8RAstWAJ9uNr7yfO95Zd/Thp3mi7dRK2zpnQCfd8y/
wOe3LRNzCG58MKbDzm+limo=
=sEOe
-----END PGP SIGNATURE-----
_______________________________________________
krbdev mailing list             krbdev@mit.edu
http://mailman.mit.edu/mailman/listinfo/krbdev

Next by Date: apache2+mod_auth_kerb+heimdal
Next by thread: apache2+mod_auth_kerb+heimdal
Index(es):
- Date
- Thread