RT RT/krbdev.mit.edu: Ticket #6886 rc4-hmac weak key checks break interoperability Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
6886
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.9.2
Target_Version
  • 1.9.1
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Fri Mar 25 15:27:33 2011
Starts: Not set
Started: Mon Mar 28 19:35:54 2011
Last Contact: Thu Jun 9 17:08:44 2011
Due: Not set
Updated: Wed Dec 16 18:02:57 2015 by tlyu
 

 People  
Owner
 ghudson
Requestors
 jaltman@mit.edu
Cc
 
AdminCc
 
 

 More about Jeffrey Altman  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Fri Mar 25 15:27:34 2011  jaltman - Ticket created    
     
Subject: rc4-hmac weak key checks break interoperability

In k5_arcfour_init() src/lib/crypto/enc_provider/rc4.c MIT's
implementation of RC4 has a check for two families of weak keys.
Those beginning with either of the following three octet sequences:

  arcfour_weakkey1[] = {0x00, 0x00, 0xfd};
  arcfour_weakkey2[] = {0x03, 0xfd, 0xfc};

If a key in either of these families is detected in k5_arcfour_init(),
the error KRB5DES_WEAK_KEY is returned to the caller.

In my reading of RFC 3961 and RFC 4757 I do not come across any
indication that a weak key test should be applied when RC4 is used with
Kerberos or GSS.  When used with GSS the weak key test is especially
problematic.  For example, each call to gss_wrap() generates a new per
message RC4 key as each message is treated by RFC 4757 as a new RC4
keystream.  The RC4 key is generated using the sequence number as input
using the following call sequence:

  gss_wrap -> gss_seal -> k5glue_seal -> krb5_gss_seal -> kg_seal ->
  make_seal_token_v1 -> kg_make_seq_num -> kg_arcfour_docrypt ->
  k5_arcfour_docrypt -> k5_arcfour_init

An application calling gss_wrap() experiences a random behavior.  When a
KRB5DES_WEAK_KEY error is returned from k5_arcfour_init(), it is never
handled and the gss_wrap() call fails.  This can happen relatively
quickly or can require hundreds of thousands of messages.  Regardless,
if the GSS context is used to send enough messages, the error will be
thrown.

Please remove the weak key checks for RC4.  In the absence of any
standards action, throwing an error condition when a weak key is
detected becomes an usability problem as there is no method by which an
application can safely recover from an error being thrown.

Jeffrey Altman


Download (untitled) 1.6k
      Mon Mar 28 19:35:54 2011  ghudson - Target_Version 1.9.1 added    
      Mon Mar 28 19:35:54 2011  ghudson - Status changed from new to review    
      Mon Mar 28 19:35:54 2011  ghudson - Tags pullup added    
      Mon Mar 28 19:35:54 2011  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: SVN Commit


Remove the weak key checks from the builtin rc4 enc provider.  There
is no standards support for avoiding RC4 weak keys, so rejecting them
causes periodic failures.  Heimdal and Microsoft do not check for weak
keys.  Attacks based on these weak keys are probably thwarted by the
use of a confounder, and even if not, the reduction in work factor is
not terribly significant for 128-bit keys.


https://github.com/krb5/krb5/commit/8418de0b6af1f2aba708ae13cdd02a597cff648d
Commit By: ghudson
Revision: 24750
Changed Files:
U   trunk/src/lib/crypto/builtin/enc_provider/rc4.c


Download (untitled) 574b
      Thu Jun  9 17:08:43 2011  tlyu - Status changed from review to resolved    
      Thu Jun  9 17:08:44 2011  tlyu - Version_Fixed 1.9.2 added    
      Thu Jun  9 17:08:44 2011  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: SVN Commit


pull up r24750 from trunk

 ------------------------------------------------------------------------
 r24750 | ghudson | 2011-03-28 19:35:54 -0400 (Mon, 28 Mar 2011) | 11 lines

 ticket: 6886
 target_version: 1.9.1
 tags: pullup

 Remove the weak key checks from the builtin rc4 enc provider.  There
 is no standards support for avoiding RC4 weak keys, so rejecting them
 causes periodic failures.  Heimdal and Microsoft do not check for weak
 keys.  Attacks based on these weak keys are probably thwarted by the
 use of a confounder, and even if not, the reduction in work factor is
 not terribly significant for 128-bit keys.

https://github.com/krb5/krb5/commit/4271a27907c9bc63528e1dae410a883d74b114b5
Commit By: tlyu
Revision: 24951
Changed Files:
U   branches/krb5-1-9/src/lib/crypto/builtin/enc_provider/rc4.c


Download (untitled) 818b
      Wed Dec 16 18:02:57 2015  tlyu - Keyword pullup deleted