Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

In computing, the mean time to failure keeps getting shorter.

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationNico Williams

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.15.1698249486.2263420.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=391&group=comp.protocols.kerberos#391

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: nico@cryptonector.com (Nico Williams)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Wed, 25 Oct 2023 10:57:14 -0500
Organization: TNet Consulting
Lines: 13
Message-ID: <mailman.15.1698249486.2263420.kerberos@mit.edu>
References: <202310241950.39OJoa0Z000708@hedwig.cmf.nrl.navy.mil>
<3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu> <ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="17300"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Authentication-Results: mit.edu; dmarc=none (p=none dis=none)
header.from=cryptonector.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.18
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698249484; cv=pass;
b=12nuhxxWkpu3+nLAceV3aFuXYumOqBtZh+FUWoyCtsDNZL4YsaewYiU+HqQHMtsWSpFcWjtXe6kc2j1LVbfHBbuHuisOTen11bUk53sW4JxIkEGQuzTmzigjPMdOiNBeXcvUzaJWtnON7iCIJuZXe+l5EKM4F2fLJlFg/17tpoZ1NtLqOYRZlIDJMDtjqcSb5aQll4vY9k7EN3HiDCXwEGna/9bFejYjkbfcckXlFZ1IdRaC2t8Z+mucinHTRGPZUID9FwHUpQgebUCdcjdPiFHMZbNZCBiXb/SD8/4r0qi1W9Vm6yjiaFv67ERjuEYP9dDbLEV/zvHHx1bbRS1zZA==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698249484;
c=relaxed/relaxed; bh=tWaeB9M4n8J+gjqvOxJNNw5mwSP2hwyPvCSOKlp2jTc=;
h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
b=bn3UE1WjTy+PXtkRd1/yfeAdCEmAv4Sgkxapq0hUItNJl8fkQACfxy3W9BoK+mOB1Xk5CroDfTJrx2+PmnIo3X31aRwbtCNEGBqz9CRaWvr5hfcxq7VPWaoUzmGT1doOKqj0X5LEd7e2S7QrVZb7HnZMt2Ok9JLkxQgfb9H3D2luqmBAaoiI9IjusrvN9Z32UYksCB2ATxNUrcSAU0W0lJbc4NZZxip3Br7ipTSK3yVwEZewxgyWPME558T2v3NGmoOfznMJTxvzHODJZTAJZc4Ex0Z52gIxMh9XL6ii0tr3T38ChaKkrU+aTAXmD7Hbx3ssOj+f4jijaWBUl9P64A==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=j3Ae4Ctj;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=hKSYa9rJ
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=j3Ae4Ctj;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=hKSYa9rJ
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=ccc47wV+zJ1eg4HeRrJzjQZnzEGObW+JV/PxIV7GH/J3umYft4ZeDWclNS50LQockTx0jfAzAobR1KkcvVOM1d4QjOo2T3shK9KPylF+IR8Ydjttv5k1mSMKRCxxnWsqYTFZiA10EVX8g1yra/tY5X1PmMG211NfcSmcWMZleTP4Iet0pN7eElyIkoa25r41bLRcALIjPpy3EUeU58iyavPYJeyiqmY1Y36cnPGZGYHIt6IkesB8ZBk/vkNTufYkM3szSo0W3fIEgh3DChNdzx6TIqs+9nt9ZpZKC8eDEqGad82RvY+oq7b+ee/rj+OdLr5qcszhhjOXpvH085ttUw==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=tWaeB9M4n8J+gjqvOxJNNw5mwSP2hwyPvCSOKlp2jTc=;
b=PlMsExiBdvJ2Z/kQh1ZAriw9X4OIK4ay1iYzWZ1TUWZK5PiMPH1UiKTvv59EW5725qdr0UFtbaPDKRephwa43CXOgkmUbEjsgjElsVZ9xL4U2WJWb8ADb4UilyuzNNI6Gti0HCRLbDEAb09qX2elSy14bWwBuGfxZxKNEWTdFOYiIvu02sDUF7l5CiTC7aWTBOYPq4ZYCPCJ/yfyxG/8QGvL5gnwIzPvTT7GgYFyjyUDWBNx8fuBTwsfXuKTxCnM6UtDFzZb52M0EzkEeQ3KyuXvl+DXnfgzQwIXADeLtQVLbMEQ1FJHjU9VHAVwyukKY973EsHgrWqb4b+kolanXw==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
23.83.215.3) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=tWaeB9M4n8J+gjqvOxJNNw5mwSP2hwyPvCSOKlp2jTc=;
b=j3Ae4CtjdDoEvxKDJSK0gHlTW79MnMpmwOnS8EgUqo1YYTthrDHmVxzmqjdoBAgWmhcFluzQbDSKGpXBxGD/SWuvrEwg7MWBkHNPIwp9OAEA4uKirbNgcyzfMxXxHgeYxCkWKT0l74jAz3dKOd9htsGWQvNxfeQYKzlPS1zlfkQ=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=nSJ2cGKjbU7E32xJl9sxzPGJShi+0qP0nzU/q0XnO43PcU7qNyfrBq29OvmkIXZLwtNZ1cv+vpzGEoE5OBfprTwZy/43F++cascqwhG7prB6Z1WS3omqWbbVt2NpcHZJntN7LhtXQ1L7RJsIYx106FYpvvNtk0Wj90NAgcYWMZJdwNIhjbfXPg+UkAcv4mne+Q/AzjNBl5w4jtEkMx2+H85ZBRPPiu2yQ8SvL1lbIiZu6zYibBIN2MLtVRlv9sXduGLln2qFd4DmtNnOjggCfiG2xJ4C8NYVM2lB1qGT/Q3B6PZXNp3rNDa8WsELp6o1gQWqyhIas3847UhzHTSfaQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=tWaeB9M4n8J+gjqvOxJNNw5mwSP2hwyPvCSOKlp2jTc=;
b=lT1jiIMxzjmYQvjZiOJTTy2TECvxUP96yiBNj+K8BnQHfYD3FZ/yho6ueKnvDSZHXlLzMYgzdcspGeAdhc1hndHNdE8Jz4TxC15vzdunfNQCFBFExIVARVfEZeMt142lO+sdzfiJEIRNMinDlGwuGcGZtykSkaBo1KW04WB5ropitTbt1YZ1Lbv2nfFMSJrL4DDeY40yHZKy9+TAEQEHXMdMXluSKy7/RzphMjO8MFrHXS95IAfBefbYUR/Js5TPinTS2BalOHfWV+lSYazVL92gAphoRqQnIMmTftkqiqLOFXXyQ6pJCPlvVf1lFmFqulqS4lv8KobSyCeYXGWqJQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
23.83.215.3) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
Authentication-Results: spf=pass (sender IP is 23.83.215.3)
smtp.mailfrom=cryptonector.com; dkim=pass (signature was verified)
header.d=cryptonector.com;dmarc=bestguesspass action=none
header.from=cryptonector.com;
Received-SPF: Pass (protection.outlook.com: domain of cryptonector.com
designates 23.83.215.3 as permitted sender) receiver=protection.outlook.com;
client-ip=23.83.215.3; helo=anteater.oak.relay.mailchannels.net; pr=C
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1698249450; a=rsa-sha256;
cv=none;
b=VJgU75s2oyDQhAgKFBVEgTAV/854Q8WtQ1srnmQjJkAAzEjbrf8WOGhVaESOaPGbeS5RYf
9wiJL/Z4ScErh7d5Qu2CQxjIN68Q3GyS9+Z9eugAlJ9P9zTDeRVs+NUtKPAf2nGa0CsOkN
zUrRQWWkJjoXlONbHIMP/tYf97Q3M5AwOI8HkHCEoSDJl2ZOkIgm8VxGRqel/7MJY2Kbk5
LW4QcrlT8S2ZA4jL9qYeLBeYkKnKIddsqfKJYbdqtjOhxn1uhK0vhtzv/5m1/mjYV+yRxO
rhxr7Fempu9rNaAtie249nAnaAghPz7idRkTx/Y+uxhOWRHrySdTdMlyjHH5ZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1698249450;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=tWaeB9M4n8J+gjqvOxJNNw5mwSP2hwyPvCSOKlp2jTc=;
b=pY2qTbarxuEs2pYXFU9JIHEMS0B4U0j3dtlhqwK9b3bX9M7yqmDCjshWaqXPt6raap9gwW
p9qJrEYl0c9KY6lVa2imm/ykOopDh/JIOdQDPK/T5U/7xDbYV1XNECgWpQle9D3KBE7FI7
RoYivcXwZv0GAMCucwNb6r79mGiRRN+LLRSuIALAgbSEcQN34PIz7m3dsKLQI0KonxFla1
LWOClXKkiBuI57YTsVGOdXRYfc2PJSI+2nSQJVKqInEulfdgXgbvW9nTAFyGxv/mjPfXua
76hbujTmHdeDe6iKZCRrbXzq19+2l8BGSRlixe4Xjo9pFjfFkDyTEdfrCWr3Fw==
ARC-Authentication-Results: i=1; rspamd-86646d89b6-cs28l;
auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com;
s=dreamhost; t=1698249437;
bh=tWaeB9M4n8J+gjqvOxJNNw5mwSP2hwyPvCSOKlp2jTc=;
h=Date:From:To:Cc:Subject:Content-Type;
b=hKSYa9rJ0yj6StWkjSleHp6fCtZqYxbPPGOgOQiLnD3XMHyX3Vlyqmwo2Akl4Z2BL
/nJGtdtr3vbEyaW6Fihn0cW2vQbfSEAUuBQczEsYPEQ+M8MytYHL1eeCCUFY2ts/2Q
1pk/zsp28TZ7qND3StDGsVmqfOdwtd97l6N4UPBx6ygaVnWqnVckMd4t/wrXLfa0g4
h8KoZhQtzUvq2HOcfN92wjY0dSnY1Ily9tFc+z4Jnuu4flJRsT4DZOWI5q04YaSjRi
2RmRe308lXF0QgKf8QWRI7zngZVvzMUa2uMI8jb1fbXcyPjsVhdeLVlI0PzZoJBv2L
0BNnAzN1GtY7Q==
Content-Disposition: inline
In-Reply-To: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE39:EE_|DM8PR01MB6918:EE_
X-MS-Office365-Filtering-Correlation-Id: d18db304-c651-404c-f74a-08dbd573298a
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: C+0v89UgCydhqdX2ObcIGNtsmAyLpEoVqa3fBClRtgxMSKYnf9mKEcAOGEB1hO0lfVrRLuukC5Z1fBfGNn8cKubkGpw0RrFLI3boArYOMqI6kZimODFTvwPBmiRO8vbxQw078oh3d2UoCKsH++ePoCINGUl87NCncfutdcIecR4/E7RxULuxVvF3mAuuO9CtrZgpb32rkZnd0vrD7iJYK9hx+LS7hQwnpXElomLVmtdH416u7RbXHlMVlYI5dtT9zu2pG+AajClWRJJXGwfe8DcaaKKFk66vU9Eh1GU/Sijc86woyHRZUU3Uf2eB3vfcS2IY9esp7WKT1iGZd1x0dUIeQWj3EObqaCogqfmmRrTv8DY2+7clf1ACXiCePZiWfbO40LepX7Ckx8SiDOvFyHPJq660vTdggFVzpmyhPezp0ypVU+TWAkWi+2L5kaIHaD6LaQ9n5Q1W/v+tBs4Zrz0m2+uAgKk16TZSp4Hh8BtR5p0dBN0xfbpe0wOZaP93Ce1uKABZRGUBkf2c3XG0YmuMK4VkYN/ilg4zRd7cS3F1G6kU4jEiqJi/it0rrYuokDXfWt221oJxZMj/B769guRZUh5kiN0wLpUgH0YL22IRvZunXuMEXhIcfV4tRfgTrcgeYzyaojkPpw9eeeOQF3wXsgEb25osei42rnr4NQ5c36AF9PsiqSMLDALpYiW/O3ciL2QxUKmvolVAw54nMA==
X-Forefront-Antispam-Report: CIP:23.83.215.3; CTRY:CA; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:anteater.oak.relay.mailchannels.net;
PTR:anteater.oak.relay.mailchannels.net; CAT:NONE;
SFS:(13230031)(4636009)(396003)(136003)(39860400002)(376002)(346002)(64100799003)(451199024)(48200799006)(61400799006)(5660300002)(55016003)(6666004)(26005)(7596003)(83380400001)(336012)(6266002)(4744005)(956004)(7636003)(356005)(86362001)(33716001)(2906002)(9686003)(498600001)(68406010)(316002)(786003)(70586007)(4326008)(8676002)(6862004)(9576002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Oct 2023 15:57:58.5173 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d18db304-c651-404c-f74a-08dbd573298a
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EE39.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR01MB6918
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ZTk62q0DIAZmW0eL@ubby21>
X-Mailman-Original-References: <202310241950.39OJoa0Z000708@hedwig.cmf.nrl.navy.mil>
<3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu> <ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
 by: Nico Williams - Wed, 25 Oct 2023 15:57 UTC

On Wed, Oct 25, 2023 at 08:51:29AM -0400, Ken Hornstein wrote:
> I think we've lost the thread here; I do not think that any krb5
> mechanism today ever asserts PROT_READY before GSS_S_COMPLETE, but I
> would love to be proven wrong.

That's the whole point of being able to use the initiator sub-session
key: to allow the Kerberos GSS mechanism to assert PROT_READY on the
first call to GSS_Init_sec_context() even when mutual auth is requested.

Yes, RFC 4121 didn't say so, but it's the point.

Nico
--

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor