Skip Menu |
 

From: Sam Hartman <hartmans@MIT.EDU>
To: krb5-bugs@MIT.EDU
Subject: nonce needs to be random
Date: Thu, 01 Feb 2007 07:16:49 -0500


RFC 4120 requires that the nonce be random. Our implementation uses
the current time. We should fix this both in the TGS and AS code.

--Sam
To: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5425] nonce needs to be random
Date: Thu, 01 Feb 2007 11:48:27 -0500
From: Ezra Peisach <epeisach@MIT.EDU>
RT-Send-Cc:

Be careful... I have another issue on record in the database - the nonce
is required to be an unsigned int 32 on the wire...


We are currently encoding this as an integer on the wire...

We need to make sure to know what would happen if an old client and new server
are talking - or a new client/old server wrt to encoding.

To make matters worse - I know that Heimdal is also using an integer. Their
integer handling code is not as generous as ours... If we send an unsigned integer
with the high bit set - then ASN.1 needs I believe 5 bytes for an unsigned integer
and four for a signed... The Heimdal code will reject the encoding.

One solution - which I believe Heimdal uses is that the nonces are randomly
chosen and the high bit masked off... Not an ideal solution...

So - yes the change is needed - but we need to be careful on how it is done...

Ezra
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: [krbdev.mit.edu #5425] nonce needs to be random
Date: Sun, 4 Feb 2007 18:04:52 -0500
To: rt@krbdev.mit.edu
RT-Send-Cc:
On Feb 1, 2007, at 11:48, Ezra Peisach via RT wrote:
Show quoted text
> Be careful... I have another issue on record in the database - the
> nonce
> is required to be an unsigned int 32 on the wire...

Show quoted text
> To make matters worse - I know that Heimdal is also using an
> integer. Their
> integer handling code is not as generous as ours... If we send an
> unsigned integer
> with the high bit set - then ASN.1 needs I believe 5 bytes for an
> unsigned integer
> and four for a signed... The Heimdal code will reject the encoding.
>
> One solution - which I believe Heimdal uses is that the nonces are
> randomly
> chosen and the high bit masked off... Not an ideal solution...

No, it's not, but a 31-bit nonce is better than a fairly predictable
32-bit timestamp.

Ken
From: raeburn@mit.edu
Subject: SVN Commit
* include/k5-platform.h: Add load_{16,32,64}_n for loading values from
(possibly unaligned) memory in native order.
* lib/krb5/krb/get_in_tkt.c (krb5_get_init_creds): Fetch four random
bytes from the crypto library and generate a 31-bit (non-negative)
nonce, instead of using the timestamp.

Commit By: raeburn



Revision: 19223
Changed Files:
U trunk/src/include/k5-platform.h
U trunk/src/lib/krb5/krb/get_in_tkt.c
From: raeburn@mit.edu
Subject: SVN Commit
Use "unsigned __int{16,32}" types for Windows in load_{16,32}_n, per Kevin.

Commit By: raeburn



Revision: 19227
Changed Files:
U trunk/src/include/k5-platform.h