[cifs-protocol] [REG:111122055068137] Confirm kerberos key selection rules for PAC KDC signature
bburgin at microsoft.com
Thu Dec 22 11:08:23 MST 2011
[Dochelp to bcc]
I'll review this for you. We made the case 111122055068137 to track this issue.
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, December 19, 2011 1:37 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Confirm kerberos key selection rules for PAC KDC signature
MS-KILE 220.127.116.11.2.3 Server Signature suggests:
The KDC creates a keyed hash ([RFC4757]) of the entire PAC message with the Signature fields of both PAC_SIGNATURE_DATA structures set to zero using the server account key with the strongest cryptography that the domain supports<30> and populates the returned PAC_SIGNATURE_DATA structure ([MS-PAC] section 2.8) fields as follows:
Would it not be more correct to say that the KDC creates a keyed hash with the key with which the ticket is encrypted to the target server?
Samba has always used that key to verify the PAC. The semantics where
the hmac-md5 keyed checksum is used to verify DES keys (rather than the DES checksum) should also be noted here.
Our source code comment is:
/* If the checksum is HMAC-MD5, the checksum type is not tied to
* the key type, instead the HMAC-MD5 checksum is applied blindly
* on whatever key is used for this connection, avoiding issues
* with unkeyed checksums on des-cbc-md5 and des-cbc-crc. See
* for the same issue in MIT, and
* for Microsoft's explaination */
While neither of the links directly addresses the DES issue, it has come
up for us in the real world. Given that a server may or may not
support AES based on it's supported encryption types, the statement that it is the 'strongest cryptography that the domain supports' seems unlikey.
Anyway, the reason I ask is to verify the behaviour for the KDC
18.104.22.168.2.4 KDC Signatures
The KDC creates a keyed hash ([RFC4757]) of the Server Signature field using the strongest "krbtgt" account key and populates the returned PAC_SIGNATURE_DATA structure field ([MS-PAC] section 2.8) as follows:
§ The SignatureType SHOULD be the value ([MS-PAC] section 2.8) corresponding to the cryptographic system used to calculate the checksum.
§ The Signature field SHOULD be the keyed hash ([RFC4757]) of the Server Signature field in the PAC message.
Can you confirm this is correct? I am working on a customer issue regarding the selection of the correct encryption type here, in an all-Samba situation, but in fixing that, I do not wish to break interoperability with Microsoft, so clarity here would be most welcome.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the cifs-protocol