[cifs-protocol] Confirm kerberos key selection rules for PAC KDC signature

Andrew Bartlett abartlet at samba.org
Mon Dec 19 14:36:45 MST 2011


MS-KILE 3.3.5.3.2.3 Server Signature suggests:

The KDC creates a keyed hash ([RFC4757]) of the entire PAC message with
the Signature fields of
both PAC_SIGNATURE_DATA structures set to zero using the server account
key with the strongest
cryptography that the domain supports<30> and populates the returned
PAC_SIGNATURE_DATA
structure ([MS-PAC] section 2.8) fields as follows:

Would it not be more correct to say that the KDC creates a keyed hash
with the key with which the ticket is encrypted to the target server?
Samba has always used that key to verify the PAC.   The semantics where
the hmac-md5 keyed checksum is used to verify DES keys (rather than the
DES checksum) should also be noted here.  

Our source code comment is:
   /* If the checksum is HMAC-MD5, the checksum type is not tied to
     * the key type, instead the HMAC-MD5 checksum is applied blindly
     * on whatever key is used for this connection, avoiding issues
     * with unkeyed checksums on des-cbc-md5 and des-cbc-crc.  See
     *
http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743
     * for the same issue in MIT, and
     *
http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
     * for Microsoft's explaination */

While neither of the links directly addresses the DES issue, it has come
up for us in the real world.   Given that a server may or may not
support AES based on it's supported encryption types, the statement that
it is the 'strongest cryptography that the domain supports' seems
unlikey.

Anyway, the reason I ask is to verify the behaviour for the KDC
checksum:

3.3.5.3.2.4 KDC Signatures
The KDC creates a keyed hash ([RFC4757]) of the Server Signature field
using the strongest
"krbtgt" account key and populates the returned PAC_SIGNATURE_DATA
structure field ([MS-PAC]
section 2.8) as follows:
The SignatureType SHOULD be the value ([MS-PAC] section 2.8)
corresponding to the
cryptographic system used to calculate the checksum.
The Signature field SHOULD be the keyed hash ([RFC4757]) of the Server
Signature field in the
PAC message.

Can you confirm this is correct?  I am working on a customer issue
regarding the selection of the correct encryption type here, in an
all-Samba situation, but in fixing that, I do not wish to break
interoperability with Microsoft, so clarity here would be most welcome.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org



More information about the cifs-protocol mailing list