Skip Menu |
 

Subject: PRF for non-AES enctypes
CC: kamada@nanohz.org
I've modified our software (racoon2's kinkd) to use krb5_c_prf()
instead of our own PRF implementations, and noticed that krb5_c_prf()
supports only AES etypes. Why not for other etypes?

At least des3-cbc-sha1-kd is easy with the attached patch.
It is interoperating with ours well.

# If there are any interests in des etypes, I'll send them as well.
Download des3-prf.diff
application/octet-stream 1.2KiB

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 4.8KiB
From krb5-bugs-incoming-bounces@PCH.mit.edu Tue Apr 7 12:09:10 2009
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1@krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 6F74ECCF14;
Tue, 7 Apr 2009 12:09:07 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n37C97Gd014009;
Tue, 7 Apr 2009 08:09:07 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n368GZ8F030757
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 6 Apr 2009 04:16:35 -0400
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
n368GQex023172
for <krb5-bugs@mit.edu>; Mon, 6 Apr 2009 04:16:26 -0400 (EDT)
Received: from localhost.tahi.org (localhost [127.0.0.1])
by mit.edu (Spam Firewall) with ESMTP id E097315A7B36
for <krb5-bugs@mit.edu>; Mon, 6 Apr 2009 04:16:25 -0400 (EDT)
Received: from localhost.tahi.org (120.145.221.202.bf.2iij.net
[202.221.145.120]) by mit.edu with ESMTP id 7DhTUi4C6gHq7Gil
(version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for
<krb5-bugs@mit.edu>; Mon, 06 Apr 2009 04:16:24 -0400 (EDT)
Received: from localhost.tahi.org (localhost [127.0.0.1])
by localhost.tahi.org (8.14.2/8.14.2) with ESMTP id n368G7WA017631;
Mon, 6 Apr 2009 17:16:07 +0900 (JST)
(envelope-from akisada@localhost.tahi.org)
Received: (from akisada@localhost)
by localhost.tahi.org (8.14.2/8.14.2/Submit) id n368G7Gn017630;
Mon, 6 Apr 2009 17:16:07 +0900 (JST) (envelope-from akisada)
Date: Mon, 6 Apr 2009 17:16:07 +0900 (JST)
Message-Id: <200904060816.n368G7Gn017630@localhost.tahi.org>
To: krb5-bugs@mit.edu
Subject: PRF for des3-cbc-hmac-sha1-kd
From: Yukiyo Akisada <akisada@tahi.org>
X-send-pr-version: 3.99
X-Spam-Score: 0.737
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 07 Apr 2009 08:09:03 -0400
Cc: akisada@tahi.org
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: akisada@tahi.org
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Show quoted text
>Submitter-Id: net
>Originator: Yukiyo Akisada
>Organization:
TAHI Project
Show quoted text
>Confidential: no
>Synopsis: PRF doesn't work under des3-cbc-hmac-sha1-kd environment
>Severity: serious
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.6.3
>Environment:
Panasonic CF-R7, FreeBSD 7.0-RELEASE-p6, krb5-1.6.3_5 (installed from FreeBSD ports system)
System: FreeBSD localhost.tahi.org 7.0-RELEASE-p6 FreeBSD 7.0-RELEASE-p6 #0: Tue Dec 9 16:22:14 JST 2008 akisada@bahamut.akisada.net:/usr/obj/usr/src/sys/TAHI i386


Show quoted text
>Description:
Hi, all.

I may misunderstand RFC 3961,
but in my understanding, des3-cbc-hmac-sha1-kd (etype=16) uses
PRF on Simplified Profile as its pseudo-random function.

Now, I want to use PRF function
from Krb5-1.8 perl module which is based on MIT krb5-1.6.3 implementation.

Krb5: <http://search.cpan.org/dist/Krb5/>

But, PRF function for ENCTYPE_DES3_CBC_SHA1 has not be
defined in <krb5-1.6.3/src/lib/crypto/etypes.c>.

Indeed,
I need some modification into Krb5-1.8 to export prf function from krb5-1.6.3,
but I also need the following modification into krb5-1.6.3.

In this moment,
the following modification (at Fix section) matches with my expected behavior,
but I'm not sure whether this modification against krb5-1.6.3 is correct or not.

Please investigate this.

Thanks,

Show quoted text
>How-To-Repeat:
just by calling krb5_c_prf() function under des3-cbc-hmac-sha1-kd
Show quoted text
>Fix:
--- krb5-1.6.3/src/lib/crypto/etypes.c.orig 2009-04-01 17:02:56.000000000 +0900
+++ krb5-1.6.3/src/lib/crypto/etypes.c 2009-04-01 14:42:01.000000000 +0900
@@ -94,26 +94,26 @@
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
- 8,
+ 16,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
- NULL, /*PRF*/
+ krb5int_dk_prf, /*PRF*/
CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
- 8,
+ 16,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
- NULL, /*PRF*/
+ krb5int_dk_prf, /*PRF*/
CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
- 8,
+ 16,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
- NULL, /*PRF*/
+ krb5int_dk_prf, /*PRF*/
CKSUMTYPE_HMAC_SHA1_DES3 },

{ ENCTYPE_DES_HMAC_SHA1,
From krb5-bugs-incoming-bounces@PCH.mit.edu Tue Apr 7 12:09:09 2009
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1@krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 777BBCCF17;
Tue, 7 Apr 2009 12:09:07 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n37C97MU014012;
Tue, 7 Apr 2009 08:09:07 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n3706jH1031632
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 6 Apr 2009 20:06:47 -0400
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
n3706Vlx017257
for <krb5-bugs@mit.edu>; Mon, 6 Apr 2009 20:06:32 -0400 (EDT)
Received: from bahamut.akisada.net (localhost [127.0.0.1])
by mit.edu (Spam Firewall) with ESMTP id 9D0A8186F8CD
for <krb5-bugs@mit.edu>; Mon, 6 Apr 2009 20:06:29 -0400 (EDT)
Received: from bahamut.akisada.net (120.145.221.202.bf.2iij.net
[202.221.145.120]) by mit.edu with ESMTP id u9hTNcseauoHPkgq
(version=TLSv1 cipher=AES256-SHA bits=256 verify=NO) for
<krb5-bugs@mit.edu>; Mon, 06 Apr 2009 20:06:28 -0400 (EDT)
Received: from bahamut.akisada.net (localhost [127.0.0.1])
by bahamut.akisada.net (8.14.2/8.14.2) with ESMTP id n3706Opn002159;
Tue, 7 Apr 2009 09:06:24 +0900 (JST) (envelope-from akisada@tahi.org)
Received: (from akisada@localhost)
by bahamut.akisada.net (8.14.2/8.14.2/Submit) id n3706OGw002158;
Tue, 7 Apr 2009 09:06:24 +0900 (JST) (envelope-from akisada@tahi.org)
Date: Tue, 7 Apr 2009 09:06:24 +0900 (JST)
Message-Id: <200904070006.n3706OGw002158@bahamut.akisada.net>
X-Authentication-Warning: bahamut.akisada.net: akisada set sender to
akisada@tahi.org using -f
To: krb5-bugs@mit.edu
Subject: PRF for des3-cbc-hmac-sha1-kd
From: Yukiyo <akisada@tahi.org>
X-send-pr-version: 3.99
X-Spam-Score: 0.22
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 07 Apr 2009 08:09:03 -0400
Cc: akisada@tahi.org
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: akisada@tahi.org
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Show quoted text
>Submitter-Id: net
>Originator: Yukiyo Akisada
>Organization:
TAHI Project
Show quoted text
>Confidential: no
>Synopsis: PRF doesn't work under des3-cbc-hmac-sha1-kd
>Severity: serious
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.6.3
>Environment:
Panasonic Let's Note CF-R7, FreeBSD 7.0-RELEASE-p6, Kerberos client, p5-Authen-Krb5-1.8/krb5-1.6.3_5 (installed from FreeBSD ports system)
System: FreeBSD bahamut.akisada.net 7.0-RELEASE-p6 FreeBSD 7.0-RELEASE-p6 #0: Tue Dec 9 16:22:14 JST 2008 akisada@bahamut.akisada.net:/usr/obj/usr/src/sys/TAHI i386


Show quoted text
>Description:
Hi, all.

I may misunderstand RFC 3961,
but in my understanding, des3-cbc-hmac-sha1-kd (etype=16) uses
PRF on Simplified Profile as its pseudo-random function.

Now, I want to use PRF function
from Krb5-1.8 perl module which is based on MIT krb5-1.6.3 implementation.

Krb5: <http://search.cpan.org/dist/Krb5/>

But, PRF function for ENCTYPE_DES3_CBC_SHA1 has not be
defined in <krb5-1.6.3/src/lib/crypto/etypes.c>.

Indeed,
I need some modification into Krb5-1.8 to export prf function from krb5-1.6.3,
but I also need the following modification into krb5-1.6.3.

In this moment,
the following modification (described at Fix: section) matches with my expected behavior,
but I'm not sure whether this modification against krb5-1.6.3 is correct or not.

Please investigate this.

Thanks,
Show quoted text
>How-To-Repeat:
just by calling krb5_c_prf() function under des3-cbc-hmac-sha1-kd
Show quoted text
>Fix:
--- krb5-1.6.3/src/lib/crypto/etypes.c.orig 2009-04-01 17:02:56.000000000 +0900
+++ krb5-1.6.3/src/lib/crypto/etypes.c 2009-04-01 14:42:01.000000000 +0900
@@ -94,26 +94,26 @@
{ ENCTYPE_DES3_CBC_SHA1,
"des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
- 8,
+ 16,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
- NULL, /*PRF*/
+ krb5int_dk_prf, /*PRF*/
CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
- 8,
+ 16,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
- NULL, /*PRF*/
+ krb5int_dk_prf, /*PRF*/
CKSUMTYPE_HMAC_SHA1_DES3 },
{ ENCTYPE_DES3_CBC_SHA1, /* alias */
"des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1",
&krb5int_enc_des3, &krb5int_hash_sha1,
- 8,
+ 16,
krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt,
krb5int_dk_string_to_key,
- NULL, /*PRF*/
+ krb5int_dk_prf, /*PRF*/
CKSUMTYPE_HMAC_SHA1_DES3 },

{ ENCTYPE_DES_HMAC_SHA1,
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6440] PRF doesn't work under des3-cbc-hmac-sha1-kd environment
From: Sam Hartman <hartmans@mit.edu>
Date: Tue, 07 Apr 2009 10:47:46 -0400
RT-Send-Cc:
Based on the discussions on the ietf-krb-wg list, I'd expect the DES3
PRF output to be 8 bytes not 16.
What environment do you have where you would expect 16 bytes.
Date: Wed, 8 Apr 2009 17:17:54 +0900
From: Yukiyo Akisada <akisada@tahi.org>
To: rt-comment@krbdev.mit.edu
CC: akisada@tahi.org
Subject: Re: [krbdev.mit.edu #6440] PRF doesn't work under des3-cbc-hmac-sha1-kd environment
RT-Send-Cc:
Download (untitled) / with headers
text/plain 2.5KiB
Hi, Sam.

Actually, I'm developping RFC 4430 (KINK) protocol conformance tester
which uses krb5-1.6.3 as the Kerberos engine.
And I'm using kinkd in Racoon2 as the counterpart implementation now.

* Racoon2 is IKEv1/IKEv2/KINK IPsec daemon developped by The Racoon2
Project which is one of WGs in WIDE Project in Japan.

<http://www.racoon2.wide.ad.jp/>

Racoon2 has its own PRF function, and the function expects 16 bytes PRF.

Now, I changed prf_length from 16 bytes to 8 bytes
in krb5_enctypes_list for ENCTYPE_DES3_CBC_SHA1 on my side (MIT Kerberos
implementation).
But I think that MIT Kerberos implementation itself still expects 16
bytes PRF.

I performed following 2 tests under this environment.

test 1)

When I use 8 bytes output buffer for generated PRF,
following validation is not passed.

<krb5-1.6.3/src/lib/crypto/enc_provider/des3.c: validate_and_schedule()>
43 if (input->length != output->length)
44 return(KRB5_BAD_MSIZE);

test 2)

When I expect 16 bytes output buffer for generated PRF
(prf_length is still set 8 bytes),
following validation is not passed.

<krb5-1.6.3/src/lib/crypto/prf.c: krb5_c_prf()>
80 krb5_c_prf_length (context, key->enctype, &len);
81 if( len != output->length)
82 return (KRB5_CRYPTO_INTERNAL);

For the reason of above failure,
I found the following code in krb5int_dk_prf() function.

<krb5-1.6.3/src/lib/crypto/dk/dk_prf.c: krb5int_dk_prf()>
48 tmp.length = hash->hashsize;
49 tmp.data = malloc(hash->hashsize);
50 if (tmp.data == NULL)
51 return ENOMEM;
52 hash->hash(1, in, &tmp);
53 tmp.length = (tmp.length/enc->block_size)*enc->block_size; /*truncate to block size*/

The initial tmp.length (line 48) is 20 bytes under des3-cbc-hmac-sha1-kd.
At the same time, enc->block_size is 8 bytes.
Finally, tmp.length (line 53) will be 16 bytes.

This buffer (tmp) will be passed into enc->encrypt(), that is
k5_des3_encrypt().

That is why I guess that MIT implementation expects 16 bytes PRF.

How do you think?

Regards,


On Tue, 7 Apr 2009 14:47:53 +0000 (UTC)
"Sam Hartman via RT" <rt-comment@krbdev.mit.edu> wrote:

Show quoted text
> Based on the discussions on the ietf-krb-wg list, I'd expect the DES3
> PRF output to be 8 bytes not 16.
> What environment do you have where you would expect 16 bytes.
>
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs
>


--
Yukiyo Akisada <akisada@tahi.org>
To: rt@krbdev.mit.edu
CC: kamada@nanohz.org
Subject: [krbdev.mit.edu #5587] DES PRF
Date: Wed, 29 Apr 2009 18:29:58 -0400 (EDT)
From: hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:
Hi. In your patch in ticket 5587 you indicated that you could send along DES diffs if we wanted them.
How difficult would that be to do?
If you can send us DES diffs in the next day or so we'd really appreciate them.

--Sam
Date: Thu, 30 Apr 2009 10:48:39 -0500
From: KAMADA Ken'ichi <kamada@nanohz.org>
To: hartmans@mit.edu
CC: rt@krbdev.mit.edu, kamada@nanohz.org
Subject: Re: [krbdev.mit.edu #5587] DES PRF
RT-Send-Cc:
I digged around my old working copies and found this patch.
Please find attached two files.
I do not remember if I did any test on these single-DES etypes.

# I completely forgot about the fact that I have sent this report...

# The changes of prf_length (8 to 16) should be perhaps ignored.
# The PRFs of single-DES etypes do not use them anyway.

Ken'ichi
Download des-prf.diff
application/text 1.4KiB

Message body not shown because it is not plain text.

Download des_prf.c
application/text 1.9KiB

Message body not shown because it is not plain text.

From: hartmans@mit.edu
Subject: SVN Commit

Implement DES and 3DES PRF. Patch fromKAMADA Ken'ichi

Currently the DES and 3DES PRF output 16-byte results. This is
consistent with RFC 3961, but we need to confirm it is consistent with
Heimdal and WG decisions. See IETF 74 minutes for some discussion of
the concern as it applies to AES and thus possibly all simplified
profile enctypes.

https://github.com/krb5/krb5/commit/6991564a69ba53b12c4efdcc9daf85041f0e2697
Commit By: hartmans
Revision: 22298
Changed Files:
U trunk/src/lib/crypto/des/Makefile.in
U trunk/src/lib/crypto/des/des_int.h
A trunk/src/lib/crypto/des/des_prf.c
U trunk/src/lib/crypto/etypes.c
U trunk/src/lib/crypto/t_cf2.comments
U trunk/src/lib/crypto/t_cf2.expected
U trunk/src/lib/crypto/t_cf2.in
From: tlyu@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 1.3KiB

pull up r22298 from trunk

------------------------------------------------------------------------
r22298 | hartmans | 2009-04-30 16:17:42 -0400 (Thu, 30 Apr 2009) | 10 lines
Changed paths:
M /trunk/src/lib/crypto/des/Makefile.in
M /trunk/src/lib/crypto/des/des_int.h
A /trunk/src/lib/crypto/des/des_prf.c (from /trunk/src/lib/crypto/dk/dk_prf.c:22295)
M /trunk/src/lib/crypto/etypes.c
M /trunk/src/lib/crypto/t_cf2.comments
M /trunk/src/lib/crypto/t_cf2.expected
M /trunk/src/lib/crypto/t_cf2.in

ticket: 5587
Tags: pullup

Implement DES and 3DES PRF. Patch fromKAMADA Ken'ichi

Currently the DES and 3DES PRF output 16-byte results. This is
consistent with RFC 3961, but we need to confirm it is consistent with
Heimdal and WG decisions. See IETF 74 minutes for some discussion of
the concern as it applies to AES and thus possibly all simplified
profile enctypes.

https://github.com/krb5/krb5/commit/83b94e13d92d4a2102b390eb0c4f66ecd83db918
Commit By: tlyu
Revision: 22335
Changed Files:
U branches/krb5-1-7/src/lib/crypto/des/Makefile.in
U branches/krb5-1-7/src/lib/crypto/des/des_int.h
A branches/krb5-1-7/src/lib/crypto/des/des_prf.c
U branches/krb5-1-7/src/lib/crypto/etypes.c
U branches/krb5-1-7/src/lib/crypto/t_cf2.comments
U branches/krb5-1-7/src/lib/crypto/t_cf2.expected
U branches/krb5-1-7/src/lib/crypto/t_cf2.in