[security-dev 01324]: Code review request: 6893158: AP_REQ check should use key version number

Max (Weijun) Wang Weijun.Wang at Sun.COM
Tue Oct 20 04:10:09 UTC 2009


Hi

Please take a review at --

    http://cr.openjdk.java.net/~weijun/6893158/webrev.00

The original EncryptionKey.findKey is still used at other places for  
client side (initiator). They won't touch the kvno field.

Thanks
Max

Begin forwarded message:

> From: Weijun.Wang at Sun.COM
> Date: October 20, 2009 10:51:17 AM GMT+08:00
> Subject: CR 6893158 Created, P3 jgss/krb5plugin AP_REQ check should  
> use key version number
>
> *Synopsis*: AP_REQ check should use key version number
>
>
> === *Description*  
> ============================================================
> In Kerberos, a server side program saves long term secret keys into  
> a keytab file and uses it to authenticate AP_REQ messages sent by a  
> client. The AP_REQ is encrypted by the KDC using a key stored in  
> KDC's database. The key is identified by an encryption type and a  
> key version number so that the server can locate the correct key  
> from the keytab. Currently, Java only uses encrytion type to search  
> for the key. If there are multiple keys with the same etype for a  
> given server, it's quite likely that a wrong key is returned. The  
> result is that the AP_REQ message cannot be authenticated and  
> checksum error is thrown.




More information about the security-dev mailing list