[security-dev 01328]: Re: Code review request: 6893158: AP_REQ check should use key version number

Valerie Peng Yu-Ching.Peng at Sun.COM
Tue Oct 20 23:41:58 UTC 2009


Looks fine to me.
Thanks,
Valerie

On 10/19/09 21:10, Max (Weijun) Wang wrote:
> Hi
>
> Please take a review at --
>
>    http://cr.openjdk.java.net/~weijun/6893158/webrev.00
>
> The original EncryptionKey.findKey is still used at other places for 
> client side (initiator). They won't touch the kvno field.
>
> Thanks
> Max
>
> Begin forwarded message:
>
>> From: Weijun.Wang at Sun.COM
>> Date: October 20, 2009 10:51:17 AM GMT+08:00
>> Subject: CR 6893158 Created, P3 jgss/krb5plugin AP_REQ check should 
>> use key version number
>>
>> *Synopsis*: AP_REQ check should use key version number
>>
>>
>> === *Description* 
>> ============================================================
>> In Kerberos, a server side program saves long term secret keys into a 
>> keytab file and uses it to authenticate AP_REQ messages sent by a 
>> client. The AP_REQ is encrypted by the KDC using a key stored in 
>> KDC's database. The key is identified by an encryption type and a key 
>> version number so that the server can locate the correct key from the 
>> keytab. Currently, Java only uses encrytion type to search for the 
>> key. If there are multiple keys with the same etype for a given 
>> server, it's quite likely that a wrong key is returned. The result is 
>> that the AP_REQ message cannot be authenticated and checksum error is 
>> thrown.
>




More information about the security-dev mailing list